diff options
author | Alan Antonuk <alan.antonuk@gmail.com> | 2014-07-14 22:30:27 -0700 |
---|---|---|
committer | Alan Antonuk <alan.antonuk@gmail.com> | 2014-07-14 22:37:19 -0700 |
commit | 8956003e3d1fd97cf52969a2c4f988cbcb81100d (patch) | |
tree | b5fa362fec79d60074bf47e940c802fb47210b14 | |
parent | 38c8cdcd64b0a260382c5f2fc73e5abe1fc766fc (diff) | |
download | rabbitmq-c-github-ask-8956003e3d1fd97cf52969a2c4f988cbcb81100d.tar.gz |
FIX: Improve invalid frame detection code.
Improve detection of invalid AMQP frame header before allocating frame buffer.
This fixes #187.
Thanks to Mike Stitt <mikes@spindance.com> for the inspiration on this.
-rw-r--r-- | librabbitmq/amqp_connection.c | 14 | ||||
-rw-r--r-- | librabbitmq/amqp_socket.c | 2 |
2 files changed, 13 insertions, 3 deletions
diff --git a/librabbitmq/amqp_connection.c b/librabbitmq/amqp_connection.c index 078ffb6..cb82e46 100644 --- a/librabbitmq/amqp_connection.c +++ b/librabbitmq/amqp_connection.c @@ -279,14 +279,22 @@ int amqp_handle_input(amqp_connection_state_t state, /* frame length is 3 bytes in */ channel = amqp_d16(raw_frame, 1); - channel_pool = amqp_get_or_create_channel_pool(state, channel); - if (NULL == channel_pool) { - return AMQP_STATUS_NO_MEMORY; + if ((int)channel > state->channel_max) { + return AMQP_STATUS_BAD_AMQP_DATA; } state->target_size = amqp_d32(raw_frame, 3) + HEADER_SIZE + FOOTER_SIZE; + if ((size_t)state->frame_max < state->target_size) { + return AMQP_STATUS_BAD_AMQP_DATA; + } + + channel_pool = amqp_get_or_create_channel_pool(state, channel); + if (NULL == channel_pool) { + return AMQP_STATUS_NO_MEMORY; + } + amqp_pool_alloc_bytes(channel_pool, state->target_size, &state->inbound_buffer); if (NULL == state->inbound_buffer.bytes) { return AMQP_STATUS_NO_MEMORY; diff --git a/librabbitmq/amqp_socket.c b/librabbitmq/amqp_socket.c index 105b9b2..154c464 100644 --- a/librabbitmq/amqp_socket.c +++ b/librabbitmq/amqp_socket.c @@ -1260,6 +1260,8 @@ static amqp_rpc_reply_t amqp_login_inner(amqp_connection_state_t state, if (server_channel_max != 0 && server_channel_max < channel_max) { channel_max = server_channel_max; + } else if (server_channel_max == 0 && channel_max == 0) { + channel_max = UINT16_MAX; } if (server_frame_max != 0 && server_frame_max < frame_max) { |