diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-02-20 11:13:08 +0100 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-02-20 11:20:11 +0100 |
| commit | 51464af713d71802e3c6d5ac15f1a95132a354fe (patch) | |
| tree | 8fc555d160c351e1eb1760d693cf6cd0f727c5df | |
| parent | 5a0ca421c6be08682a49077d623d32e8cdea7274 (diff) | |
| download | gnutls-51464af713d71802e3c6d5ac15f1a95132a354fe.tar.gz | |
cdk_pkt_read: enforce packet limits
That ensures that there are no overflows in the subsequent
calculations.
Resolves the oss-fuzz found bug:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=420
Relates: #159
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| -rw-r--r-- | lib/opencdk/read-packet.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/lib/opencdk/read-packet.c b/lib/opencdk/read-packet.c index 8055a63ed5..ead6480459 100644 --- a/lib/opencdk/read-packet.c +++ b/lib/opencdk/read-packet.c @@ -950,6 +950,7 @@ static cdk_error_t skip_packet(cdk_stream_t inp, size_t pktlen) return 0; } +#define MAX_PACKET_LEN (1<<24) /** * cdk_pkt_read: @@ -1002,6 +1003,13 @@ cdk_error_t cdk_pkt_read(cdk_stream_t inp, cdk_packet_t pkt) else read_old_length(inp, ctb, &pktlen, &pktsize); + /* enforce limits to ensure that the following calculations + * do not overflow */ + if (pktlen >= MAX_PACKET_LEN || pktsize >= MAX_PACKET_LEN) { + _cdk_log_info("cdk_pkt_read: too long packet\n"); + return gnutls_assert_val(CDK_Inv_Packet); + } + pkt->pkttype = pkttype; pkt->pktlen = pktlen; pkt->pktsize = pktsize + pktlen; @@ -1026,6 +1034,7 @@ cdk_error_t cdk_pkt_read(cdk_stream_t inp, cdk_packet_t pkt) break; case CDK_PKT_USER_ID: + pkt->pkt.user_id = cdk_calloc(1, sizeof *pkt->pkt.user_id + pkt->pktlen + 1); if (!pkt->pkt.user_id) |