From 024ebb4728ac7b43b5c1bfdf3aa08d4659c58bad Mon Sep 17 00:00:00 2001
From: Adam Sampson <ats@offog.org>
Date: Thu, 28 May 2020 02:01:20 +0100
Subject: [PATCH] Check the size of PROTMESSID_ACKN messages.

The Evaluate* functions that parse other types of messages all check the
message size before starting to read data, but the special code for
acknowledgements didn't do this, so an ACKN message on an existing
connection that had a valid checksum but no data would result in an
out-of-bounds read.

Found by fuzzing with afl-fuzz.
---
 src/protocol.cpp | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/protocol.cpp b/src/protocol.cpp
index 4c33607f..50be6eb5 100755
--- a/src/protocol.cpp
+++ b/src/protocol.cpp
@@ -556,6 +556,12 @@ if ( rand() < ( RAND_MAX / 2 ) ) return false;
         // special treatment for acknowledge messages
         if ( iRecID == PROTMESSID_ACKN )
         {
+            // check size
+            if ( vecbyMesBodyData.Size() != 2 )
+            {
+                return true; // return error code
+            }
+
             // extract data from stream and emit signal for received value
             int       iPos = 0;
             const int iData =