fix: Fix a stack overflow triggered by small DHT packets.

This isn't in production yet. It's in the new announce store code. The
problem was that a negative plain_len was converted to unsigned, which
made it a very large number.
This commit is contained in:
iphydf 2022-04-04 08:07:31 +00:00
parent 2c06ef6ad4
commit 7a4cc107c0
No known key found for this signature in database
GPG Key ID: 3855DBA2D74403C9
3 changed files with 3 additions and 3 deletions

View File

@ -1 +1 @@
139fe825b90c022bbefd3837c2a427ab9215be3ca62144ea7ff12ae7389c78ba /usr/local/bin/tox-bootstrapd 37e68ca853cd8b01b26c8d8c61d1db6546c08ed294f5650b691b7aadaf47ee18 /usr/local/bin/tox-bootstrapd

View File

@ -1079,7 +1079,7 @@ static int handle_data_search_response(void *object, const IP_Port *source,
const int32_t plain_len = (int32_t)length - (1 + CRYPTO_PUBLIC_KEY_SIZE + CRYPTO_NONCE_SIZE + CRYPTO_MAC_SIZE); const int32_t plain_len = (int32_t)length - (1 + CRYPTO_PUBLIC_KEY_SIZE + CRYPTO_NONCE_SIZE + CRYPTO_MAC_SIZE);
if (plain_len < CRYPTO_PUBLIC_KEY_SIZE + sizeof(uint64_t)) { if (plain_len < (int32_t)(CRYPTO_PUBLIC_KEY_SIZE + sizeof(uint64_t))) {
return 1; return 1;
} }

View File

@ -544,7 +544,7 @@ static int create_reply(Announcements *announce, const IP_Port *source,
{ {
const int plain_len = (int)length - (1 + CRYPTO_PUBLIC_KEY_SIZE + CRYPTO_NONCE_SIZE + CRYPTO_MAC_SIZE); const int plain_len = (int)length - (1 + CRYPTO_PUBLIC_KEY_SIZE + CRYPTO_NONCE_SIZE + CRYPTO_MAC_SIZE);
if (plain_len < sizeof(uint64_t)) { if (plain_len < (int)sizeof(uint64_t)) {
return -1; return -1;
} }