diff options
author | Alan Antonuk <alan.antonuk@gmail.com> | 2019-11-03 23:50:07 -0800 |
---|---|---|
committer | Alan Antonuk <alan.antonuk@gmail.com> | 2019-11-04 00:18:04 -0800 |
commit | fc85be7123050b91b054e45b91c78d3241a5047a (patch) | |
tree | 749d9dac5af17f55e87948dc9840335f4a8c4866 /CMakeLists.txt | |
parent | 60adf5f8817f32b25a99aa54ba186a29208c7942 (diff) | |
download | rabbitmq-c-fc85be7123050b91b054e45b91c78d3241a5047a.tar.gz |
lib: check frame_size is >= INT32_MAX
When parsing a frame header, validate that the frame_size is less than
or equal to INT32_MAX. Given frame_max is limited between 0 and
INT32_MAX in amqp_login and friends, this does not change the API.
This prevents a potential buffer overflow when a malicious client sends
a frame_size that is close to UINT32_MAX, in which causes an overflow
when computing state->target_size resulting in a small value there. A
buffer is then allocated with the small amount, then memcopy copies the
frame_size writing to memory beyond the end of the buffer.
Diffstat (limited to 'CMakeLists.txt')
0 files changed, 0 insertions, 0 deletions