# HG changeset patch
# User Sebastien Decugis <sdecugis@freediameter.net>
# Date 1594056288 -28800
# Node ID 6a35c5470ef4c8fb0cf81e20efa83eecc93cc1be
# Parent  d1827bc3cf9029a64e967a77d85a3d51bb752c67
Security fix: check invalid incoming data

diff -r d1827bc3cf90 -r 6a35c5470ef4 libfdproto/messages.c
--- a/libfdproto/messages.c	Tue Dec 10 00:53:45 2019 +0800
+++ b/libfdproto/messages.c	Tue Jul 07 01:24:48 2020 +0800
@@ -1946,6 +1946,14 @@
 			offset += 4;
 		}
 		
+		/* Check the length is valid */
+		if ( avp->avp_public.avp_len < GETAVPHDRSZ(avp->avp_public.avp_flags) ) {
+			TRACE_DEBUG(INFO, "Invalid AVP size %d",
+					avp->avp_public.avp_len);
+			free(avp);
+			return EBADMSG;
+		}
+
 		/* Check there is enough remaining data in the buffer */
 		if ( (avp->avp_public.avp_len > GETAVPHDRSZ(avp->avp_public.avp_flags))
 		&& (buflen - offset < avp->avp_public.avp_len - GETAVPHDRSZ(avp->avp_public.avp_flags))) {
@@ -1992,6 +2000,10 @@
 		TRACE_DEBUG(INFO, "Truncated message (%zd / %d)", buflen, msglen );
 		return EBADMSG; 
 	}
+	if ( msglen < GETMSGHDRSZ() ) {
+		TRACE_DEBUG(INFO, "Invalid message length (%d)", msglen );
+		return EBADMSG;
+	}
 	
 	/* Create a new object */
 	CHECK_MALLOC( new = malloc (sizeof(struct msg)) );