StarMirror/toxcore
1
0
Fork 0
mirror of https://github.com/irungentoo/toxcore.git synced 2024-03-22 13:30:51 +08:00
Code Issues Projects Releases Wiki Activity

Bound the number of friends you can have to ~4 billion.

Browse Source 
If you have UINT32_MAX friends, then adding one more friend will cause an
overflow of the friend list (wrap to 0) and result in all friends being
deleted. This subsequently results in a null pointer dereference when
we're trying to add one friend to the deleted friend list.
This commit is contained in:
iphydf 2020-04-28 11:10:25 +00:00
parent de3c21b5b7
commit 7edc0a52fe
No known key found for this signature in database
GPG Key ID: 3855DBA2D74403C9
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
toxcore/Messenger.c
View File

@ -161,6 +161,12 @@ static int m_handle_lossy_packet(void *object, int friend_num, const uint8_t *pa
static int32_t init_new_friend(Messenger *m, const uint8_t *real_pk, uint8_t status) static int32_t init_new_friend(Messenger *m, const uint8_t *real_pk, uint8_t status)
{ {
if (m->numfriends == UINT32_MAX) {
LOGGER_ERROR(m->log, "Friend list full: we have more than 4 billion friends");
/* This is technically incorrect, but close enough. */
return FAERR_NOMEM;
}
/* Resize the friend list if necessary. */ /* Resize the friend list if necessary. */
if (realloc_friendlist(m, m->numfriends + 1) != 0) { if (realloc_friendlist(m, m->numfriends + 1) != 0) {
return FAERR_NOMEM; return FAERR_NOMEM;