From 8ac13beea427cd1bf321bf89adcda51ace66bf1d Mon Sep 17 00:00:00 2001 From: irungentoo Date: Wed, 31 Dec 2014 15:24:09 -0500 Subject: [PATCH] Code cleanup. Added length checks to ipport_pack() function. --- toxcore/network.c | 16 +++++++++++++--- toxcore/network.h | 10 ++++++---- toxcore/onion.c | 24 ++++++++++++++++++------ 3 files changed, 37 insertions(+), 13 deletions(-) diff --git a/toxcore/network.c b/toxcore/network.c index 5539de6b..7a528f4f 100644 --- a/toxcore/network.c +++ b/toxcore/network.c @@ -763,10 +763,15 @@ void ip_pack(uint8_t *data, const IP *source) memcpy(data + 1, &source->ip6, SIZE_IP6); } -void ip_unpack(IP *target, const uint8_t *data) +/* return 0 on success, -1 on failure. */ +int ip_unpack(IP *target, const uint8_t *data, unsigned int data_size) { + if (data_size < (1 + SIZE_IP6)) + return -1; + target->family = data[0]; memcpy(&target->ip6, data + 1, SIZE_IP6); + return 0; } void ipport_pack(uint8_t *data, const IP_Port *source) @@ -775,10 +780,15 @@ void ipport_pack(uint8_t *data, const IP_Port *source) memcpy(data + SIZE_IP, &source->port, SIZE_PORT); } -void ipport_unpack(IP_Port *target, const uint8_t *data) +/* return 0 on success, -1 on failure. */ +int ipport_unpack(IP_Port *target, const uint8_t *data, unsigned int data_size) { - ip_unpack(&target->ip, data); + if (data_size < (SIZE_IP + SIZE_PORT)) + return -1; + + ip_unpack(&target->ip, data, data_size); memcpy(&target->port, data + SIZE_IP, SIZE_PORT); + return 0; } /* ip_ntoa diff --git a/toxcore/network.h b/toxcore/network.h index 71fe4d9f..49d51d20 100644 --- a/toxcore/network.h +++ b/toxcore/network.h @@ -249,12 +249,14 @@ void ipport_copy(IP_Port *target, const IP_Port *source); /* packs IP into data, writes SIZE_IP bytes to data */ void ip_pack(uint8_t *data, const IP *source); -/* unpacks IP from data, reads SIZE_IP bytes from data */ -void ip_unpack(IP *target, const uint8_t *data); +/* unpacks IP from data, reads SIZE_IP bytes from data + return 0 on success, -1 on failure. */ +int ip_unpack(IP *target, const uint8_t *data, unsigned int data_size); /* packs IP_Port into data, writes SIZE_IPPORT bytes to data */ void ipport_pack(uint8_t *data, const IP_Port *source); -/* unpacks IP_Port from data, reads SIZE_IPPORT bytes to data */ -void ipport_unpack(IP_Port *target, const uint8_t *data); +/* unpacks IP_Port from data, reads SIZE_IPPORT bytes to data + return 0 on success, -1 on failure. */ +int ipport_unpack(IP_Port *target, const uint8_t *data, unsigned int data_size); /* * addr_resolve(): diff --git a/toxcore/onion.c b/toxcore/onion.c index 1ce8146e..b444e02a 100644 --- a/toxcore/onion.c +++ b/toxcore/onion.c @@ -293,7 +293,9 @@ int onion_send_1(const Onion *onion, const uint8_t *plain, uint16_t len, IP_Port return 1; IP_Port send_to; - ipport_unpack(&send_to, plain); + + if (ipport_unpack(&send_to, plain, len) == -1) + return 1; if (to_host_family(&send_to.ip) == -1) return 1; @@ -344,7 +346,9 @@ static int handle_send_1(void *object, IP_Port source, const uint8_t *packet, ui return 1; IP_Port send_to; - ipport_unpack(&send_to, plain); + + if (ipport_unpack(&send_to, plain, len) == -1) + return 1; if (to_host_family(&send_to.ip) == -1) return 1; @@ -395,7 +399,9 @@ static int handle_send_2(void *object, IP_Port source, const uint8_t *packet, ui return 1; IP_Port send_to; - ipport_unpack(&send_to, plain); + + if (ipport_unpack(&send_to, plain, len) == -1) + return 1; if (to_host_family(&send_to.ip) == -1) return 1; @@ -443,7 +449,9 @@ static int handle_recv_3(void *object, IP_Port source, const uint8_t *packet, ui return 1; IP_Port send_to; - ipport_unpack(&send_to, plain); + + if (ipport_unpack(&send_to, plain, len) == -1) + return 1; uint8_t data[ONION_MAX_PACKET_SIZE]; data[0] = NET_PACKET_ONION_RECV_2; @@ -477,7 +485,9 @@ static int handle_recv_2(void *object, IP_Port source, const uint8_t *packet, ui return 1; IP_Port send_to; - ipport_unpack(&send_to, plain); + + if (ipport_unpack(&send_to, plain, len) == -1) + return 1; uint8_t data[ONION_MAX_PACKET_SIZE]; data[0] = NET_PACKET_ONION_RECV_1; @@ -511,7 +521,9 @@ static int handle_recv_1(void *object, IP_Port source, const uint8_t *packet, ui return 1; IP_Port send_to; - ipport_unpack(&send_to, plain); + + if (ipport_unpack(&send_to, plain, len) == -1) + return 1; uint16_t data_len = length - (1 + RETURN_1);