Browse Source

check and limit LeaseSet's buffer size

pull/1805/head
orignal 2 years ago
parent
commit
9e02c99db5
  1. 21
      libi2pd/LeaseSet.cpp
  2. 10
      libi2pd/NetDb.cpp

21
libi2pd/LeaseSet.cpp

@ -37,14 +37,7 @@ namespace data @@ -37,14 +37,7 @@ namespace data
void LeaseSet::Update (const uint8_t * buf, size_t len, bool verifySignature)
{
if (len > m_BufferLen)
{
auto oldBuffer = m_Buffer;
m_Buffer = new uint8_t[len];
delete[] oldBuffer;
}
memcpy (m_Buffer, buf, len);
m_BufferLen = len;
SetBuffer (buf, len);
ReadFromBuffer (false, verifySignature);
}
@ -264,7 +257,17 @@ namespace data @@ -264,7 +257,17 @@ namespace data
void LeaseSet::SetBuffer (const uint8_t * buf, size_t len)
{
if (m_Buffer) delete[] m_Buffer;
if (len > MAX_LS_BUFFER_SIZE)
{
LogPrint (eLogError, "LeaseSet: Buffer is too long ", len);
len = MAX_LS_BUFFER_SIZE;
}
if (m_Buffer && len > m_BufferLen)
{
delete[] m_Buffer;
m_Buffer = nullptr;
}
if (!m_Buffer)
m_Buffer = new uint8_t[len];
m_BufferLen = len;
memcpy (m_Buffer, buf, len);

10
libi2pd/NetDb.cpp

@ -749,6 +749,11 @@ namespace data @@ -749,6 +749,11 @@ namespace data
{
const uint8_t * buf = m->GetPayload ();
size_t len = m->GetSize ();
if (len < DATABASE_STORE_HEADER_SIZE)
{
LogPrint (eLogError, "NetDb: Database store msg is too short ", len, ". Dropped");
return;
}
IdentHash ident (buf + DATABASE_STORE_KEY_OFFSET);
if (ident.IsZero ())
{
@ -759,6 +764,11 @@ namespace data @@ -759,6 +764,11 @@ namespace data
size_t offset = DATABASE_STORE_HEADER_SIZE;
if (replyToken)
{
if (len < offset + 36) // 32 + 4
{
LogPrint (eLogError, "NetDb: Database store msg with reply token is too short ", len, ". Dropped");
return;
}
auto deliveryStatus = CreateDeliveryStatusMsg (replyToken);
uint32_t tunnelID = bufbe32toh (buf + offset);
offset += 4;

Loading…
Cancel
Save