Code cleanup.

Added length checks to ipport_pack() function.

toxcore/network.c

@@ -763,10 +763,15 @@ void ip_pack(uint8_t *data, const IP *source)
     memcpy(data + 1, &source->ip6, SIZE_IP6);
 }
 
-void ip_unpack(IP *target, const uint8_t *data)
+/* return 0 on success, -1 on failure. */
+int ip_unpack(IP *target, const uint8_t *data, unsigned int data_size)
 {
+    if (data_size < (1 + SIZE_IP6))
+        return -1;
+
     target->family = data[0];
     memcpy(&target->ip6, data + 1, SIZE_IP6);
+    return 0;
 }
 
 void ipport_pack(uint8_t *data, const IP_Port *source)
@@ -775,10 +780,15 @@ void ipport_pack(uint8_t *data, const IP_Port *source)
     memcpy(data + SIZE_IP, &source->port, SIZE_PORT);
 }
 
-void ipport_unpack(IP_Port *target, const uint8_t *data)
+/* return 0 on success, -1 on failure. */
+int ipport_unpack(IP_Port *target, const uint8_t *data, unsigned int data_size)
 {
-    ip_unpack(&target->ip, data);
+    if (data_size < (SIZE_IP + SIZE_PORT))
+        return -1;
+
+    ip_unpack(&target->ip, data, data_size);
     memcpy(&target->port, data + SIZE_IP, SIZE_PORT);
+    return 0;
 }
 
 /* ip_ntoa

toxcore/network.h

@@ -249,12 +249,14 @@ void ipport_copy(IP_Port *target, const IP_Port *source);
 
 /* packs IP into data, writes SIZE_IP bytes to data */
 void ip_pack(uint8_t *data, const IP *source);
-/* unpacks IP from data, reads SIZE_IP bytes from data */
-void ip_unpack(IP *target, const uint8_t *data);
+/* unpacks IP from data, reads SIZE_IP bytes from data
+   return 0 on success, -1 on failure. */
+int ip_unpack(IP *target, const uint8_t *data, unsigned int data_size);
 /* packs IP_Port into data, writes SIZE_IPPORT bytes to data */
 void ipport_pack(uint8_t *data, const IP_Port *source);
-/* unpacks IP_Port from data, reads SIZE_IPPORT bytes to data */
-void ipport_unpack(IP_Port *target, const uint8_t *data);
+/* unpacks IP_Port from data, reads SIZE_IPPORT bytes to data
+   return 0 on success, -1 on failure. */
+int ipport_unpack(IP_Port *target, const uint8_t *data, unsigned int data_size);
 
 /*
  * addr_resolve():

toxcore/onion.c

@@ -293,7 +293,9 @@ int onion_send_1(const Onion *onion, const uint8_t *plain, uint16_t len, IP_Port
         return 1;
 
     IP_Port send_to;
-    ipport_unpack(&send_to, plain);
+
+    if (ipport_unpack(&send_to, plain, len) == -1)
+        return 1;
 
     if (to_host_family(&send_to.ip) == -1)
         return 1;
@@ -344,7 +346,9 @@ static int handle_send_1(void *object, IP_Port source, const uint8_t *packet, ui
         return 1;
 
     IP_Port send_to;
-    ipport_unpack(&send_to, plain);
+
+    if (ipport_unpack(&send_to, plain, len) == -1)
+        return 1;
 
     if (to_host_family(&send_to.ip) == -1)
         return 1;
@@ -395,7 +399,9 @@ static int handle_send_2(void *object, IP_Port source, const uint8_t *packet, ui
         return 1;
 
     IP_Port send_to;
-    ipport_unpack(&send_to, plain);
+
+    if (ipport_unpack(&send_to, plain, len) == -1)
+        return 1;
 
     if (to_host_family(&send_to.ip) == -1)
         return 1;
@@ -443,7 +449,9 @@ static int handle_recv_3(void *object, IP_Port source, const uint8_t *packet, ui
         return 1;
 
     IP_Port send_to;
-    ipport_unpack(&send_to, plain);
+
+    if (ipport_unpack(&send_to, plain, len) == -1)
+        return 1;
 
     uint8_t data[ONION_MAX_PACKET_SIZE];
     data[0] = NET_PACKET_ONION_RECV_2;
@@ -477,7 +485,9 @@ static int handle_recv_2(void *object, IP_Port source, const uint8_t *packet, ui
         return 1;
 
     IP_Port send_to;
-    ipport_unpack(&send_to, plain);
+
+    if (ipport_unpack(&send_to, plain, len) == -1)
+        return 1;
 
     uint8_t data[ONION_MAX_PACKET_SIZE];
     data[0] = NET_PACKET_ONION_RECV_1;
@@ -511,7 +521,9 @@ static int handle_recv_1(void *object, IP_Port source, const uint8_t *packet, ui
         return 1;
 
     IP_Port send_to;
-    ipport_unpack(&send_to, plain);
+
+    if (ipport_unpack(&send_to, plain, len) == -1)
+        return 1;
 
     uint16_t data_len = length - (1 + RETURN_1);