Check the size of PROTMESSID_ACKN messages.
The Evaluate* functions that parse other types of messages all check the message size before starting to read data, but the special code for acknowledgements didn't do this, so an ACKN message on an existing connection that had a valid checksum but no data would result in an out-of-bounds read. Found by fuzzing with afl-fuzz.
This commit is contained in:
Adam Sampson
parent
cffd4e9a61
commit
024ebb4728
1 changed files with 6 additions and 0 deletions
|
|
@ -556,6 +556,12 @@ if ( rand() < ( RAND_MAX / 2 ) ) return false;
|
|||
// special treatment for acknowledge messages
|
||||
if ( iRecID == PROTMESSID_ACKN )
|
||||
{
|
||||
// check size
|
||||
if ( vecbyMesBodyData.Size() != 2 )
|
||||
{
|
||||
return true; // return error code
|
||||
}
|
||||
|
||||
// extract data from stream and emit signal for received value
|
||||
int iPos = 0;
|
||||
const int iData =
|
||||
|
|
|
|||
Loading…
Reference in a new issue