-
Notifications
You must be signed in to change notification settings - Fork 426
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added bounds checking. #1939
base: master
Are you sure you want to change the base?
Added bounds checking. #1939
Conversation
@@ -922,6 +922,10 @@ namespace data | |||
else if(!m_FloodfillBootstrap) | |||
LogPrint (eLogWarning, "NetDb: Requested destination for ", key, " not found"); | |||
|
|||
// All peers hashs in buffer? | |||
if(msg->GetPayloadLength() < (size_t) (33 + num * 32)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use constant instead of 32.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's the constant name for a router identity hash? I don't see anything already defined in any headers.
I just copied the values from with-in the for() loop below it.
for (int i = 0; i < num; i++)
{
const uint8_t * router = buf + 33 + i*32;
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If no suggestions are given, will add new IDENTITY_HASH_SIZE constant to Identity.h.
#3 0x11c59b7 in i2p::data::LeaseSet2::ReadMetaLS2TypeSpecificPart(unsigned char const*, unsigned long This part looks more interesting then bounds checking itself. Meaning that somebody is publishing Meta LeaseSet. What for? |
Not necessarily. It was found using fuzzing (sending random input to LeaseSet2()), which can be done via a Database Store Message. So someone could craft a leaseset2 message for hostile purposes, e.g. causing a crash//DoS, or maybe extract internal data (assuming some code path makes that possible). |
This has been replaced by pull request #1941, with new commits. |
Found multiple buffer over-reads while fuzzing.