From d080cb1ed80a0e528b2b755ee48ca18cb670175e Mon Sep 17 00:00:00 2001 From: Christian Grothoff Date: Sun, 20 May 2018 23:40:20 +0200 Subject: check return values from GNSRECORD_record_serialize/size always --- src/gns/gnunet-service-gns.c | 27 ++++++++++++++++++++------- src/gns/gnunet-service-gns_resolver.c | 21 ++++++++++++++------- 2 files changed, 34 insertions(+), 14 deletions(-) (limited to 'src/gns') diff --git a/src/gns/gnunet-service-gns.c b/src/gns/gnunet-service-gns.c index cffae824d..aaa4aeb0e 100644 --- a/src/gns/gnunet-service-gns.c +++ b/src/gns/gnunet-service-gns.c @@ -334,30 +334,43 @@ client_connect_cb (void *cls, * @param rd the record data */ static void -send_lookup_response (void* cls, +send_lookup_response (void *cls, uint32_t rd_count, const struct GNUNET_GNSRECORD_Data *rd) { struct ClientLookupHandle *clh = cls; struct GnsClient *gc = clh->gc; - struct GNUNET_MQ_Envelope *env; + struct GNUNET_MQ_Envelope *env; struct LookupResultMessage *rmsg; - size_t len; + ssize_t len; GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Sending LOOKUP_RESULT message with %u results\n", (unsigned int) rd_count); len = GNUNET_GNSRECORD_records_get_size (rd_count, rd); + if (len < 0) + { + GNUNET_break (0); + GNUNET_SERVICE_client_drop (gc->client); + return; + } + if (len > UINT16_MAX - sizeof (*rmsg)) + { + GNUNET_break (0); + GNUNET_SERVICE_client_drop (gc->client); + return; + } env = GNUNET_MQ_msg_extra (rmsg, len, GNUNET_MESSAGE_TYPE_GNS_LOOKUP_RESULT); rmsg->id = clh->request_id; rmsg->rd_count = htonl (rd_count); - GNUNET_GNSRECORD_records_serialize (rd_count, - rd, - len, - (char*) &rmsg[1]); + GNUNET_assert (len == + GNUNET_GNSRECORD_records_serialize (rd_count, + rd, + len, + (char*) &rmsg[1])); GNUNET_MQ_send (GNUNET_SERVICE_client_get_mq (gc->client), env); GNUNET_CONTAINER_DLL_remove (gc->clh_head, diff --git a/src/gns/gnunet-service-gns_resolver.c b/src/gns/gnunet-service-gns_resolver.c index b66516363..8593e281e 100644 --- a/src/gns/gnunet-service-gns_resolver.c +++ b/src/gns/gnunet-service-gns_resolver.c @@ -280,7 +280,7 @@ struct VpnContext /** * Number of bytes in @e rd_data. */ - size_t rd_data_size; + ssize_t rd_data_size; }; @@ -1319,7 +1319,7 @@ vpn_allocation_cb (void *cls, vpn_ctx->vpn_request = NULL; rh->vpn_ctx = NULL; GNUNET_assert (GNUNET_OK == - GNUNET_GNSRECORD_records_deserialize (vpn_ctx->rd_data_size, + GNUNET_GNSRECORD_records_deserialize ((size_t) vpn_ctx->rd_data_size, vpn_ctx->rd_data, vpn_ctx->rd_count, rd)); @@ -1901,13 +1901,20 @@ handle_gns_resolution_result (void *cls, vpn_ctx->rh = rh; vpn_ctx->rd_data_size = GNUNET_GNSRECORD_records_get_size (rd_count, rd); - vpn_ctx->rd_data = GNUNET_malloc (vpn_ctx->rd_data_size); + if (vpn_ctx->rd_data_size < 0) + { + GNUNET_break_op (0); + GNUNET_free (vpn_ctx); + fail_resolution (rh); + return; + } + vpn_ctx->rd_data = GNUNET_malloc ((size_t) vpn_ctx->rd_data_size); vpn_ctx->rd_count = rd_count; GNUNET_assert (vpn_ctx->rd_data_size == - (size_t) GNUNET_GNSRECORD_records_serialize (rd_count, - rd, - vpn_ctx->rd_data_size, - vpn_ctx->rd_data)); + GNUNET_GNSRECORD_records_serialize (rd_count, + rd, + (size_t) vpn_ctx->rd_data_size, + vpn_ctx->rd_data)); vpn_ctx->vpn_request = GNUNET_VPN_redirect_to_peer (vpn_handle, af, ntohs (vpn->proto), -- cgit v1.2.3