From 14537ef71b43ac47fe342c4e88f7bd3675ed1e39 Mon Sep 17 00:00:00 2001
From: Christian Grothoff <christian@grothoff.org>
Date: Tue, 4 Jun 2019 21:05:01 +0200
Subject: misc bugfixes

---
 src/transport/gnunet-service-tng.c | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'src/transport/gnunet-service-tng.c')

diff --git a/src/transport/gnunet-service-tng.c b/src/transport/gnunet-service-tng.c
index 9262e5e97..206c59363 100644
--- a/src/transport/gnunet-service-tng.c
+++ b/src/transport/gnunet-service-tng.c
@@ -5580,6 +5580,13 @@ handle_fragment_box (void *cls, const struct TransportFragmentBoxMessage *fb)
     return;
   }
   frag_off = ntohs (fb->frag_off);
+  if (frag_off + fsize > msize)
+  {
+    /* Fragment (plus fragment size) exceeds message size! */
+    GNUNET_break_op (0);
+    finish_cmc_handling (cmc);
+    return;
+  }
   memcpy (&target[frag_off], &fb[1], fsize);
   /* update bitfield and msg_missing */
   for (unsigned int i = frag_off; i < frag_off + fsize; i++)
-- 
cgit v1.2.3