From 1dc9e74df4b12b6996b94a595efe21c4724243af Mon Sep 17 00:00:00 2001
From: orignal <i2porignal@yandex.ru>
Date: Sat, 30 Jan 2016 10:35:32 -0500
Subject: [PATCH] check TunnelBuild message size

---
 I2NPProtocol.cpp | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/I2NPProtocol.cpp b/I2NPProtocol.cpp
index 8f528f3c..2cd2b0b2 100644
--- a/I2NPProtocol.cpp
+++ b/I2NPProtocol.cpp
@@ -329,6 +329,11 @@ namespace i2p
 	{	
 		int num = buf[0];
 		LogPrint (eLogDebug, "I2NP: VariableTunnelBuild ", num, " records");
+		if (len < num*BUILD_REQUEST_RECORD_CLEAR_TEXT_SIZE + 1)
+		{
+			LogPrint (eLogError, "VaribleTunnelBuild message of ", num, " records is too short ", len);
+			return;
+		}	
 
 		auto tunnel =  i2p::tunnel::tunnels.GetPendingInboundTunnel (replyMsgID);
 		if (tunnel)
@@ -370,6 +375,11 @@ namespace i2p
 
 	void HandleTunnelBuildMsg (uint8_t * buf, size_t len)
 	{
+		if (len < NUM_TUNNEL_BUILD_RECORDS*BUILD_REQUEST_RECORD_CLEAR_TEXT_SIZE)
+		{
+			LogPrint (eLogError, "TunnelBuild message is too short ", len);
+			return;
+		}	
 		uint8_t clearText[BUILD_REQUEST_RECORD_CLEAR_TEXT_SIZE];	
 		if (HandleBuildRequestRecords (NUM_TUNNEL_BUILD_RECORDS, buf, clearText))
 		{
@@ -390,7 +400,14 @@ namespace i2p
 
 	void HandleVariableTunnelBuildReplyMsg (uint32_t replyMsgID, uint8_t * buf, size_t len)
 	{	
-		LogPrint (eLogDebug, "I2NP: VariableTunnelBuildReplyMsg replyMsgID=", replyMsgID);
+		int num = buf[0];
+		LogPrint (eLogDebug, "I2NP: VariableTunnelBuildReplyMsg of ", num, " records replyMsgID=", replyMsgID);
+		if (len < num*BUILD_REQUEST_RECORD_CLEAR_TEXT_SIZE + 1)
+		{
+			LogPrint (eLogError, "VaribleTunnelBuildReply message of ", num, " records is too short ", len);
+			return;
+		}	
+		
 		auto tunnel = i2p::tunnel::tunnels.GetPendingOutboundTunnel (replyMsgID);
 		if (tunnel)
 		{