Check the size of PROTMESSID_ACKN messages.

The Evaluate* functions that parse other types of messages all check the
message size before starting to read data, but the special code for
acknowledgements didn't do this, so an ACKN message on an existing
connection that had a valid checksum but no data would result in an
out-of-bounds read.

Found by fuzzing with afl-fuzz.
This commit is contained in:
Adam Sampson 2020-05-28 02:01:20 +01:00
parent cffd4e9a61
commit 024ebb4728

View file

@ -556,6 +556,12 @@ if ( rand() < ( RAND_MAX / 2 ) ) return false;
// special treatment for acknowledge messages
if ( iRecID == PROTMESSID_ACKN )
{
// check size
if ( vecbyMesBodyData.Size() != 2 )
{
return true; // return error code
}
// extract data from stream and emit signal for received value
int iPos = 0;
const int iData =