1
0
mirror of https://github.com/PurpleI2P/i2pd.git synced 2025-01-14 12:57:52 +00:00

Merge pull request #1172 from majestrate/check-boundary-04-2018

Check boundary
This commit is contained in:
orignal 2018-04-29 18:04:15 -04:00 committed by GitHub
commit 8fadac0fdc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -329,17 +329,17 @@ namespace client
switch (typeID) switch (typeID)
{ {
case eI2NPData: case eI2NPData:
HandleDataMessage (buf + I2NP_HEADER_SIZE, bufbe16toh (buf + I2NP_HEADER_SIZE_OFFSET)); HandleDataMessage (buf + I2NP_HEADER_SIZE, GetI2NPMessageLength(buf, len - I2NP_HEADER_SIZE));
break; break;
case eI2NPDeliveryStatus: case eI2NPDeliveryStatus:
// we assume tunnel tests non-encrypted // we assume tunnel tests non-encrypted
HandleDeliveryStatusMessage (CreateI2NPMessage (buf, GetI2NPMessageLength (buf, len), from)); HandleDeliveryStatusMessage (CreateI2NPMessage (buf, GetI2NPMessageLength (buf, len), from));
break; break;
case eI2NPDatabaseStore: case eI2NPDatabaseStore:
HandleDatabaseStoreMessage (buf + I2NP_HEADER_SIZE, bufbe16toh (buf + I2NP_HEADER_SIZE_OFFSET)); HandleDatabaseStoreMessage (buf + I2NP_HEADER_SIZE, GetI2NPMessageLength(buf, len - I2NP_HEADER_SIZE));
break; break;
case eI2NPDatabaseSearchReply: case eI2NPDatabaseSearchReply:
HandleDatabaseSearchReplyMessage (buf + I2NP_HEADER_SIZE, bufbe16toh (buf + I2NP_HEADER_SIZE_OFFSET)); HandleDatabaseSearchReplyMessage (buf + I2NP_HEADER_SIZE, GetI2NPMessageLength(buf, len - I2NP_HEADER_SIZE));
break; break;
default: default:
i2p::HandleI2NPMessage (CreateI2NPMessage (buf, GetI2NPMessageLength (buf, len), from)); i2p::HandleI2NPMessage (CreateI2NPMessage (buf, GetI2NPMessageLength (buf, len), from));
@ -859,6 +859,11 @@ namespace client
void ClientDestination::HandleDataMessage (const uint8_t * buf, size_t len) void ClientDestination::HandleDataMessage (const uint8_t * buf, size_t len)
{ {
uint32_t length = bufbe32toh (buf); uint32_t length = bufbe32toh (buf);
if(length > len - 4)
{
LogPrint(eLogError, "Destination: Data message length ", length, " exceeds buffer length ", len);
return;
}
buf += 4; buf += 4;
// we assume I2CP payload // we assume I2CP payload
uint16_t fromPort = bufbe16toh (buf + 4), // source uint16_t fromPort = bufbe16toh (buf + 4), // source