diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-02-20 11:13:08 +0100 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-02-21 13:19:18 +0100 |
| commit | 09a2f72584bb52ba87a97ee291729d6609229626 (patch) | |
| tree | 5d4e02da7cf4fed1874f9c1cde74798e1e318048 | |
| parent | 0715c72c482931b962294f9388f28fbb2a707d80 (diff) | |
| download | gnutls-09a2f72584bb52ba87a97ee291729d6609229626.tar.gz | |
cdk_pkt_read: enforce packet limits
That ensures that there are no overflows in the subsequent
calculations.
Resolves the oss-fuzz found bug:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=420
Relates: #159
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| -rw-r--r-- | lib/opencdk/read-packet.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/lib/opencdk/read-packet.c b/lib/opencdk/read-packet.c index 8a8d87a1fd..d95845d569 100644 --- a/lib/opencdk/read-packet.c +++ b/lib/opencdk/read-packet.c @@ -951,6 +951,7 @@ static cdk_error_t skip_packet(cdk_stream_t inp, size_t pktlen) return 0; } +#define MAX_PACKET_LEN (1<<24) /** * cdk_pkt_read: @@ -1003,6 +1004,13 @@ cdk_error_t cdk_pkt_read(cdk_stream_t inp, cdk_packet_t pkt) else read_old_length(inp, ctb, &pktlen, &pktsize); + /* enforce limits to ensure that the following calculations + * do not overflow */ + if (pktlen >= MAX_PACKET_LEN || pktsize >= MAX_PACKET_LEN) { + _cdk_log_info("cdk_pkt_read: too long packet\n"); + return gnutls_assert_val(CDK_Inv_Packet); + } + pkt->pkttype = pkttype; pkt->pktlen = pktlen; pkt->pktsize = pktsize + pktlen; @@ -1027,6 +1035,7 @@ cdk_error_t cdk_pkt_read(cdk_stream_t inp, cdk_packet_t pkt) break; case CDK_PKT_USER_ID: + pkt->pkt.user_id = cdk_calloc(1, sizeof *pkt->pkt.user_id + pkt->pktlen + 1); if (!pkt->pkt.user_id) |