Digital_Voice_Modem_Project
/
dvmhost
mirror of https://github.com/DVMProject/dvmhost.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

BUGFIX: fix some unbounded array checking;

Browse Source
r05a04_dev
Bryan Biedenkapp 2 months ago
parent 99c4064ed3
commit 463bdee4bf
3 changed files with 22 additions and 1 deletions
Show Stats Download Patch File Download Diff File

2
src/common/network/NetRPC.cpp
Unescape View File

@ -25,7 +25,7 @@ using namespace network::frame;
#include <cmath> #include <cmath>
// --------------------------------------------------------------------------- // ---------------------------------------------------------------------------
// Public Class Members // Constants
// --------------------------------------------------------------------------- // ---------------------------------------------------------------------------
#define REPLY_WAIT 200 // 200ms #define REPLY_WAIT 200 // 200ms

15
src/common/network/PacketBuffer.cpp
Unescape View File

@ -17,6 +17,13 @@ using namespace compress;
#include <cassert> #include <cassert>
// ---------------------------------------------------------------------------
// Constants
// ---------------------------------------------------------------------------
#define MAX_FRAGMENT_SIZE 8192 * 1024 // 8MB max
// --------------------------------------------------------------------------- // ---------------------------------------------------------------------------
// Public Class Members // Public Class Members
// --------------------------------------------------------------------------- // ---------------------------------------------------------------------------
@ -59,6 +66,14 @@ bool PacketBuffer::decode(const uint8_t* data, uint8_t** message, uint32_t* outL
uint32_t size = GET_UINT32(data, 0U); uint32_t size = GET_UINT32(data, 0U);
uint32_t compressedSize = GET_UINT32(data, 4U); uint32_t compressedSize = GET_UINT32(data, 4U);
// make sure we can't exceed max fragment size -- prevent potential DOS attack by sending
// enormous fragment sizes
if (size > MAX_FRAGMENT_SIZE || compressedSize > MAX_FRAGMENT_SIZE) {
LogError(LOG_NET, "%s, fragment size exceeds maximum. BUGBUG.", m_name);
delete frag;
return false;
}
frag->size = size; frag->size = size;
frag->compressedSize = compressedSize; frag->compressedSize = compressedSize;
} }

6
src/common/network/udp/Socket.cpp
Unescape View File

@ -325,6 +325,12 @@ ssize_t Socket::read(uint8_t* buffer, uint32_t length, sockaddr_storage& address
// does the network packet contain the appropriate magic leader? // does the network packet contain the appropriate magic leader?
uint16_t magic = GET_UINT16(buffer, 0U); uint16_t magic = GET_UINT16(buffer, 0U);
if (magic == AES_WRAPPED_PCKT_MAGIC) { if (magic == AES_WRAPPED_PCKT_MAGIC) {
// prevent malicious packets that are too short
if (len < 2U + crypto::AES::BLOCK_BYTES_LEN) {
LogError(LOG_NET, "Encrypted packet too short");
return -1;
}
uint32_t cryptedLen = (len - 2U) * sizeof(uint8_t); uint32_t cryptedLen = (len - 2U) * sizeof(uint8_t);
uint8_t* cryptoBuffer = buffer + 2U; uint8_t* cryptoBuffer = buffer + 2U;

Write Preview
Loading…
Cancel
Save

Powered by TurnKey Linux.