From 623c3f4605b805fdc6b4c5e90d8735eae72107c1 Mon Sep 17 00:00:00 2001
From: orignal <i2porignal@yandex.ru>
Date: Sat, 6 May 2023 18:07:21 -0400
Subject: [PATCH] check for max number of records in tunnel build and tunnel
 build reply messages

---
 libi2pd/I2NPProtocol.cpp | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/libi2pd/I2NPProtocol.cpp b/libi2pd/I2NPProtocol.cpp
index 1a5b1cde..f100c6e5 100644
--- a/libi2pd/I2NPProtocol.cpp
+++ b/libi2pd/I2NPProtocol.cpp
@@ -424,6 +424,11 @@ namespace i2p
 	{
 		int num = buf[0];
 		LogPrint (eLogDebug, "I2NP: VariableTunnelBuild ", num, " records");
+		if (num > i2p::tunnel::MAX_NUM_RECORDS)
+		{
+			LogPrint (eLogError, "I2NP: Too many records in VaribleTunnelBuild message ", num);
+			return;
+		}	
 		if (len < num*TUNNEL_BUILD_RECORD_SIZE + 1)
 		{
 			LogPrint (eLogError, "I2NP: VaribleTunnelBuild message of ", num, " records is too short ", len);
@@ -477,6 +482,11 @@ namespace i2p
 	{
 		int num = buf[0];
 		LogPrint (eLogDebug, "I2NP: TunnelBuildReplyMsg of ", num, " records replyMsgID=", replyMsgID);
+		if (num > i2p::tunnel::MAX_NUM_RECORDS)
+		{
+			LogPrint (eLogError, "I2NP: Too many records in TunnelBuildReply message ", num);
+			return;
+		}	
 		size_t recordSize = isShort ? SHORT_TUNNEL_BUILD_RECORD_SIZE : TUNNEL_BUILD_RECORD_SIZE;
 		if (len < num*recordSize + 1)
 		{
@@ -508,6 +518,11 @@ namespace i2p
 	{
 		int num = buf[0];
 		LogPrint (eLogDebug, "I2NP: ShortTunnelBuild ", num, " records");
+		if (num > i2p::tunnel::MAX_NUM_RECORDS)
+		{
+			LogPrint (eLogError, "I2NP: Too many records in ShortTunnelBuild message ", num);
+			return;
+		}	
 		if (len < num*SHORT_TUNNEL_BUILD_RECORD_SIZE + 1)
 		{
 			LogPrint (eLogError, "I2NP: ShortTunnelBuild message of ", num, " records is too short ", len);