From 6265d452e9f464aebdd140429e87028d3705fb33 Mon Sep 17 00:00:00 2001
From: Jeff Becker <jeff@i2p.rocks>
Date: Sun, 29 Apr 2018 10:53:04 -0400
Subject: [PATCH 1/2] more bounds checking

---
 libi2pd/Destination.cpp | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/libi2pd/Destination.cpp b/libi2pd/Destination.cpp
index b7c2ee32..4e758c92 100644
--- a/libi2pd/Destination.cpp
+++ b/libi2pd/Destination.cpp
@@ -329,17 +329,17 @@ namespace client
 		switch (typeID)
 		{
 			case eI2NPData:
-				HandleDataMessage (buf + I2NP_HEADER_SIZE, bufbe16toh (buf + I2NP_HEADER_SIZE_OFFSET));
+				HandleDataMessage (buf + I2NP_HEADER_SIZE, GetI2NPMessageLength(buf, len));
 			break;
 			case eI2NPDeliveryStatus:
 				// we assume tunnel tests non-encrypted
 				HandleDeliveryStatusMessage (CreateI2NPMessage (buf, GetI2NPMessageLength (buf, len), from));
 			break;
 			case eI2NPDatabaseStore:
-				HandleDatabaseStoreMessage (buf + I2NP_HEADER_SIZE, bufbe16toh (buf + I2NP_HEADER_SIZE_OFFSET));
+				HandleDatabaseStoreMessage (buf + I2NP_HEADER_SIZE, GetI2NPMessageLength(buf, len));
 			break;
 			case eI2NPDatabaseSearchReply:
-				HandleDatabaseSearchReplyMessage (buf + I2NP_HEADER_SIZE, bufbe16toh (buf + I2NP_HEADER_SIZE_OFFSET));
+				HandleDatabaseSearchReplyMessage (buf + I2NP_HEADER_SIZE, GetI2NPMessageLength(buf, len));
 			break;
 			default:
 				i2p::HandleI2NPMessage (CreateI2NPMessage (buf, GetI2NPMessageLength (buf, len), from));
@@ -859,6 +859,11 @@ namespace client
 	void ClientDestination::HandleDataMessage (const uint8_t * buf, size_t len)
 	{
 		uint32_t length = bufbe32toh (buf);
+		if(length > len - 4)
+		{
+			LogPrint(eLogError, "Destination: Data message length ", length, " exceeds buffer length ", len);
+			return;
+		}
 		buf += 4;
 		// we assume I2CP payload
 		uint16_t fromPort = bufbe16toh (buf + 4), // source

From a63bc1cdca9b338c3c672aee4c79399e8087617c Mon Sep 17 00:00:00 2001
From: Jeff Becker <jeff@i2p.rocks>
Date: Sun, 29 Apr 2018 11:41:03 -0400
Subject: [PATCH 2/2] correct sizes

---
 libi2pd/Destination.cpp | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/libi2pd/Destination.cpp b/libi2pd/Destination.cpp
index 4e758c92..e565d6c0 100644
--- a/libi2pd/Destination.cpp
+++ b/libi2pd/Destination.cpp
@@ -329,17 +329,17 @@ namespace client
 		switch (typeID)
 		{
 			case eI2NPData:
-				HandleDataMessage (buf + I2NP_HEADER_SIZE, GetI2NPMessageLength(buf, len));
+				HandleDataMessage (buf + I2NP_HEADER_SIZE, GetI2NPMessageLength(buf, len - I2NP_HEADER_SIZE));
 			break;
 			case eI2NPDeliveryStatus:
 				// we assume tunnel tests non-encrypted
 				HandleDeliveryStatusMessage (CreateI2NPMessage (buf, GetI2NPMessageLength (buf, len), from));
 			break;
 			case eI2NPDatabaseStore:
-				HandleDatabaseStoreMessage (buf + I2NP_HEADER_SIZE, GetI2NPMessageLength(buf, len));
+				HandleDatabaseStoreMessage (buf + I2NP_HEADER_SIZE, GetI2NPMessageLength(buf, len - I2NP_HEADER_SIZE));
 			break;
 			case eI2NPDatabaseSearchReply:
-				HandleDatabaseSearchReplyMessage (buf + I2NP_HEADER_SIZE, GetI2NPMessageLength(buf, len));
+				HandleDatabaseSearchReplyMessage (buf + I2NP_HEADER_SIZE, GetI2NPMessageLength(buf, len - I2NP_HEADER_SIZE));
 			break;
 			default:
 				i2p::HandleI2NPMessage (CreateI2NPMessage (buf, GetI2NPMessageLength (buf, len), from));