Browse Source

leaseset: add missing bound checks

This builds on ChadF's issue and patch (https://github.com/PurpleI2P/i2pd/issues/1772)
and fixes other potential bound check issues.
pull/1776/head
Simon Vetter 2 years ago
parent
commit
412a245e88
  1. 35
      libi2pd/LeaseSet.cpp

35
libi2pd/LeaseSet.cpp

@ -59,9 +59,9 @@ namespace data
if (readIdentity || !m_Identity) if (readIdentity || !m_Identity)
m_Identity = std::make_shared<IdentityEx>(m_Buffer, m_BufferLen); m_Identity = std::make_shared<IdentityEx>(m_Buffer, m_BufferLen);
size_t size = m_Identity->GetFullLen (); size_t size = m_Identity->GetFullLen ();
if (size > m_BufferLen) if (size + 256 > m_BufferLen)
{ {
LogPrint (eLogError, "LeaseSet: Identity length ", size, " exceeds buffer size ", m_BufferLen); LogPrint (eLogError, "LeaseSet: Identity length ", int(size), " exceeds buffer size ", int(m_BufferLen));
m_IsValid = false; m_IsValid = false;
return; return;
} }
@ -74,7 +74,7 @@ namespace data
size += m_Identity->GetSigningPublicKeyLen (); // unused signing key size += m_Identity->GetSigningPublicKeyLen (); // unused signing key
if (size + 1 > m_BufferLen) if (size + 1 > m_BufferLen)
{ {
LogPrint (eLogError, "LeaseSet: ", size, " exceeds buffer size ", m_BufferLen); LogPrint (eLogError, "LeaseSet: ", int(size), " exceeds buffer size ", int(m_BufferLen));
m_IsValid = false; m_IsValid = false;
return; return;
} }
@ -89,7 +89,7 @@ namespace data
} }
if (size + num*LEASE_SIZE > m_BufferLen) if (size + num*LEASE_SIZE > m_BufferLen)
{ {
LogPrint (eLogError, "LeaseSet: ", size, " exceeds buffer size ", m_BufferLen); LogPrint (eLogError, "LeaseSet: ", int(size), " exceeds buffer size ", int(m_BufferLen));
m_IsValid = false; m_IsValid = false;
return; return;
} }
@ -125,7 +125,7 @@ namespace data
auto signedSize = leases - m_Buffer; auto signedSize = leases - m_Buffer;
if (signedSize + m_Identity->GetSignatureLen () > m_BufferLen) if (signedSize + m_Identity->GetSignatureLen () > m_BufferLen)
{ {
LogPrint (eLogError, "LeaseSet: Signature exceeds buffer size ", m_BufferLen); LogPrint (eLogError, "LeaseSet: Signature exceeds buffer size ", int(m_BufferLen));
m_IsValid = false; m_IsValid = false;
} }
else if (!m_Identity->Verify (m_Buffer, signedSize, leases)) else if (!m_Identity->Verify (m_Buffer, signedSize, leases))
@ -274,7 +274,7 @@ namespace data
{ {
if (len <= m_BufferLen) m_BufferLen = len; if (len <= m_BufferLen) m_BufferLen = len;
else else
LogPrint (eLogError, "LeaseSet2: Actual buffer size ", len , " exceeds full buffer size ", m_BufferLen); LogPrint (eLogError, "LeaseSet2: Actual buffer size ", int(len) , " exceeds full buffer size ", int(m_BufferLen));
} }
LeaseSet2::LeaseSet2 (uint8_t storeType, const uint8_t * buf, size_t len, bool storeLeases, CryptoKeyType preferredCrypto): LeaseSet2::LeaseSet2 (uint8_t storeType, const uint8_t * buf, size_t len, bool storeLeases, CryptoKeyType preferredCrypto):
@ -320,7 +320,7 @@ namespace data
else else
identity = GetIdentity (); identity = GetIdentity ();
size_t offset = identity->GetFullLen (); size_t offset = identity->GetFullLen ();
if (offset + 8 >= len) return; if (offset + 8 > len) return;
m_PublishedTimestamp = bufbe32toh (buf + offset); offset += 4; // published timestamp (seconds) m_PublishedTimestamp = bufbe32toh (buf + offset); offset += 4; // published timestamp (seconds)
uint16_t expires = bufbe16toh (buf + offset); offset += 2; // expires (seconds) uint16_t expires = bufbe16toh (buf + offset); offset += 2; // expires (seconds)
SetExpirationTime ((m_PublishedTimestamp + expires)*1000LL); // in milliseconds SetExpirationTime ((m_PublishedTimestamp + expires)*1000LL); // in milliseconds
@ -364,6 +364,10 @@ namespace data
SetIsValid (verified); SetIsValid (verified);
} }
offset += m_TransientVerifier ? m_TransientVerifier->GetSignatureLen () : identity->GetSignatureLen (); offset += m_TransientVerifier ? m_TransientVerifier->GetSignatureLen () : identity->GetSignatureLen ();
if (offset > len) {
LogPrint (eLogWarning, "LeaseSet2: short buffer: wanted ", int(offset), "bytes, have ", int(len));
return;
}
SetBufferLen (offset); SetBufferLen (offset);
} }
@ -388,17 +392,17 @@ namespace data
// properties // properties
uint16_t propertiesLen = bufbe16toh (buf + offset); offset += 2; uint16_t propertiesLen = bufbe16toh (buf + offset); offset += 2;
offset += propertiesLen; // skip for now. TODO: implement properties offset += propertiesLen; // skip for now. TODO: implement properties
if (offset + 1 >= len) return 0;
// key sections // key sections
CryptoKeyType preferredKeyType = m_EncryptionType; CryptoKeyType preferredKeyType = m_EncryptionType;
bool preferredKeyFound = false; bool preferredKeyFound = false;
if (offset + 1 > len) return 0;
int numKeySections = buf[offset]; offset++; int numKeySections = buf[offset]; offset++;
for (int i = 0; i < numKeySections; i++) for (int i = 0; i < numKeySections; i++)
{ {
if (offset + 4 > len) return 0;
uint16_t keyType = bufbe16toh (buf + offset); offset += 2; // encryption key type uint16_t keyType = bufbe16toh (buf + offset); offset += 2; // encryption key type
if (offset + 2 >= len) return 0;
uint16_t encryptionKeyLen = bufbe16toh (buf + offset); offset += 2; uint16_t encryptionKeyLen = bufbe16toh (buf + offset); offset += 2;
if (offset + encryptionKeyLen >= len) return 0; if (offset + encryptionKeyLen > len) return 0;
if (IsStoreLeases () && !preferredKeyFound) // create encryptor with leases only if (IsStoreLeases () && !preferredKeyFound) // create encryptor with leases only
{ {
// we pick first valid key if preferred not found // we pick first valid key if preferred not found
@ -413,7 +417,7 @@ namespace data
offset += encryptionKeyLen; offset += encryptionKeyLen;
} }
// leases // leases
if (offset + 1 >= len) return 0; if (offset + 1 > len) return 0;
int numLeases = buf[offset]; offset++; int numLeases = buf[offset]; offset++;
auto ts = i2p::util::GetMillisecondsSinceEpoch (); auto ts = i2p::util::GetMillisecondsSinceEpoch ();
if (IsStoreLeases ()) if (IsStoreLeases ())
@ -432,7 +436,8 @@ namespace data
} }
else else
offset += numLeases*LEASE2_SIZE; // 40 bytes per lease offset += numLeases*LEASE2_SIZE; // 40 bytes per lease
return offset;
return (offset > len ? 0 : offset);
} }
size_t LeaseSet2::ReadMetaLS2TypeSpecificPart (const uint8_t * buf, size_t len) size_t LeaseSet2::ReadMetaLS2TypeSpecificPart (const uint8_t * buf, size_t len)
@ -442,18 +447,18 @@ namespace data
uint16_t propertiesLen = bufbe16toh (buf + offset); offset += 2; uint16_t propertiesLen = bufbe16toh (buf + offset); offset += 2;
offset += propertiesLen; // skip for now. TODO: implement properties offset += propertiesLen; // skip for now. TODO: implement properties
// entries // entries
if (offset + 1 >= len) return 0; if (offset + 1 > len) return 0;
int numEntries = buf[offset]; offset++; int numEntries = buf[offset]; offset++;
for (int i = 0; i < numEntries; i++) for (int i = 0; i < numEntries; i++)
{ {
if (offset + 40 >= len) return 0; if (offset + LEASE2_SIZE > len) return 0;
offset += 32; // hash offset += 32; // hash
offset += 3; // flags offset += 3; // flags
offset += 1; // cost offset += 1; // cost
offset += 4; // expires offset += 4; // expires
} }
// revocations // revocations
if (offset + 1 >= len) return 0; if (offset + 1 > len) return 0;
int numRevocations = buf[offset]; offset++; int numRevocations = buf[offset]; offset++;
for (int i = 0; i < numRevocations; i++) for (int i = 0; i < numRevocations; i++)
{ {

Loading…
Cancel
Save