GNS: fix potential memory access violationdev/sebi/sbox

author: Sebastian Nadler <sebastian.nadler@tum.de> 2024-01-11 16:17:54 +0100
committer: Sebastian Nadler <sebastian.nadler@tum.de> 2024-01-11 16:18:57 +0100
commit: 749a3f960acd4074dd75e2075757341f76d0e00c (patch)
tree: 7188e4a98374793c43697b2bad94485916f68d76
parent: a2b4a0a924eed10a0efdcbb912950997be7c484f (diff)
download: gnunet-dev/sebi/sbox.tar.gz
gnunet-dev/sebi/sbox.zip
1 files changed, 10 insertions, 1 deletions
diff --git a/src/service/gns/gnunet-service-gns_resolver.c b/src/service/gns/gnunet-service-gns_resolver.c
index 7af756aaf..0d7a1cee8 100644
--- a/src/service/gns/gnunet-service-gns_resolver.c
+++ b/src/service/gns/gnunet-service-gns_resolver.c
@@ -2397,7 +2397,16 @@ handle_gns_resolution_result (void *cls,
            box = rd[i].data;
            const char *prefix = rd[i].data + sizeof(struct
                                                     GNUNET_GNSRECORD_SBoxRecord);
-            size_t prefix_len = strlen (prefix) + 1;
+            size_t prefix_len = strnlen (prefix, rd[i].data_size - sizeof(struct
+                                                                          GNUNET_GNSRECORD_SBoxRecord))
+                                + 1;
+            if (prefix_len - 1 >= rd[i].data_size - sizeof(struct
+                                                           GNUNET_GNSRECORD_SBoxRecord))
+            {
+              GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                          "SBOX record with invalid prefix length, maybe not null-terminated\n");
+              continue;
+            }
            GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
                        "Got SBOX record, checking if prefixes match... %s vs %s\n",
                        prefix, rh->prefix);
author	Sebastian Nadler <sebastian.nadler@tum.de>	2024-01-11 16:17:54 +0100
committer	Sebastian Nadler <sebastian.nadler@tum.de>	2024-01-11 16:18:57 +0100
commit	749a3f960acd4074dd75e2075757341f76d0e00c (patch)
tree	7188e4a98374793c43697b2bad94485916f68d76
parent	a2b4a0a924eed10a0efdcbb912950997be7c484f (diff)
download	gnunet-dev/sebi/sbox.tar.gz gnunet-dev/sebi/sbox.zip

diff --git a/src/service/gns/gnunet-service-gns_resolver.c b/src/service/gns/gnunet-service-gns_resolver.c index 7af756aaf..0d7a1cee8 100644 --- a/src/service/gns/gnunet-service-gns_resolver.c +++ b/src/service/gns/gnunet-service-gns_resolver.c
@@ -2397,7 +2397,16 @@ handle_gns_resolution_result (void *cls,
2397	box = rd[i].data;	2397	box = rd[i].data;
2398	const char *prefix = rd[i].data + sizeof(struct	2398	const char *prefix = rd[i].data + sizeof(struct
2399	GNUNET_GNSRECORD_SBoxRecord);	2399	GNUNET_GNSRECORD_SBoxRecord);
2400	size_t prefix_len = strlen (prefix) + 1;	2400	size_t prefix_len = strnlen (prefix, rd[i].data_size - sizeof(struct
		2401	GNUNET_GNSRECORD_SBoxRecord))
		2402	+ 1;
		2403	if (prefix_len - 1 >= rd[i].data_size - sizeof(struct
		2404	GNUNET_GNSRECORD_SBoxRecord))
		2405	{
		2406	GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
		2407	"SBOX record with invalid prefix length, maybe not null-terminated\n");
		2408	continue;
		2409	}
2401	GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,	2410	GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
2402	"Got SBOX record, checking if prefixes match... %s vs %s\n",	2411	"Got SBOX record, checking if prefixes match... %s vs %s\n",
2403	prefix, rh->prefix);	2412	prefix, rh->prefix);