From 8956003e3d1fd97cf52969a2c4f988cbcb81100d Mon Sep 17 00:00:00 2001 From: Alan Antonuk Date: Mon, 14 Jul 2014 22:30:27 -0700 Subject: FIX: Improve invalid frame detection code. Improve detection of invalid AMQP frame header before allocating frame buffer. This fixes #187. Thanks to Mike Stitt for the inspiration on this. --- librabbitmq/amqp_connection.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) (limited to 'librabbitmq/amqp_connection.c') diff --git a/librabbitmq/amqp_connection.c b/librabbitmq/amqp_connection.c index 078ffb6..cb82e46 100644 --- a/librabbitmq/amqp_connection.c +++ b/librabbitmq/amqp_connection.c @@ -279,14 +279,22 @@ int amqp_handle_input(amqp_connection_state_t state, /* frame length is 3 bytes in */ channel = amqp_d16(raw_frame, 1); - channel_pool = amqp_get_or_create_channel_pool(state, channel); - if (NULL == channel_pool) { - return AMQP_STATUS_NO_MEMORY; + if ((int)channel > state->channel_max) { + return AMQP_STATUS_BAD_AMQP_DATA; } state->target_size = amqp_d32(raw_frame, 3) + HEADER_SIZE + FOOTER_SIZE; + if ((size_t)state->frame_max < state->target_size) { + return AMQP_STATUS_BAD_AMQP_DATA; + } + + channel_pool = amqp_get_or_create_channel_pool(state, channel); + if (NULL == channel_pool) { + return AMQP_STATUS_NO_MEMORY; + } + amqp_pool_alloc_bytes(channel_pool, state->target_size, &state->inbound_buffer); if (NULL == state->inbound_buffer.bytes) { return AMQP_STATUS_NO_MEMORY; -- cgit v1.2.1