From d25b2cb6664389091476b900965eccba0e2bbefb Mon Sep 17 00:00:00 2001 From: Andrew Stitcher Date: Tue, 5 Mar 2013 21:57:48 +0000 Subject: QPID-4629 Improve validation of received frames. - Added checks to Buffer to ensure no buffer overruns occur; - Fixed an unsigned comparison error in the checking function. - Improved FieldValue decoding to check we've actually got data before allocating the space for it. - Disallowed large arrays (greater than 256 elements) of zero length elements - avoids potential memory exhaustion problems. [Fixes from Florian Weimer, Red Hat Product Security Team, lightly modified] This change fixes these vulnerabilities CVE-2012-4458 CVE-2012-4459 CVE-2012-4460 git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@1453031 13f79535-47bb-0310-9956-ffa450edef68 --- qpid/cpp/include/qpid/framing/Buffer.h | 2 +- qpid/cpp/include/qpid/framing/FieldValue.h | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) (limited to 'qpid/cpp/include') diff --git a/qpid/cpp/include/qpid/framing/Buffer.h b/qpid/cpp/include/qpid/framing/Buffer.h index 2ccad3bd57..293d591a94 100644 --- a/qpid/cpp/include/qpid/framing/Buffer.h +++ b/qpid/cpp/include/qpid/framing/Buffer.h @@ -45,7 +45,7 @@ class QPID_COMMON_CLASS_EXTERN Buffer uint32_t position; public: - void checkAvailable(uint32_t count) { if (position + count > size) throw OutOfBounds(); } + void checkAvailable(size_t count) { if (count > size - position) throw OutOfBounds(); } QPID_COMMON_EXTERN Buffer(char* data=0, uint32_t size=0); diff --git a/qpid/cpp/include/qpid/framing/FieldValue.h b/qpid/cpp/include/qpid/framing/FieldValue.h index e964da495a..1adcb2fa07 100644 --- a/qpid/cpp/include/qpid/framing/FieldValue.h +++ b/qpid/cpp/include/qpid/framing/FieldValue.h @@ -281,6 +281,7 @@ class VariableWidthValue : public FieldValue::Data { }; void decode(Buffer& buffer) { uint32_t len = buffer.getUInt(); + buffer.checkAvailable(len); octets.resize(len); if (len > 0) buffer.getRawData(&octets[0], len); -- cgit v1.2.1