Mercurial > hg > freeDiameter
changeset 1549:19ab8ac08a36
Merge
author | Sebastien Decugis <sdecugis@freediameter.net> |
---|---|
date | Tue, 07 Jul 2020 01:41:54 +0800 |
parents | edfb2b662b91 (current diff) 6a35c5470ef4 (diff) |
children | 224cb55be2d7 |
files | libfdproto/messages.c |
diffstat | 1 files changed, 12 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/libfdproto/messages.c Mon Jun 15 20:33:58 2020 +0200 +++ b/libfdproto/messages.c Tue Jul 07 01:41:54 2020 +0800 @@ -1946,6 +1946,14 @@ offset += 4; } + /* Check the length is valid */ + if ( avp->avp_public.avp_len < GETAVPHDRSZ(avp->avp_public.avp_flags) ) { + TRACE_DEBUG(INFO, "Invalid AVP size %d", + avp->avp_public.avp_len); + free(avp); + return EBADMSG; + } + /* Check there is enough remaining data in the buffer */ if ( (avp->avp_public.avp_len > GETAVPHDRSZ(avp->avp_public.avp_flags)) && (buflen - offset < avp->avp_public.avp_len - GETAVPHDRSZ(avp->avp_public.avp_flags))) { @@ -1992,6 +2000,10 @@ TRACE_DEBUG(INFO, "Truncated message (%zd / %d)", buflen, msglen ); return EBADMSG; } + if ( msglen < GETMSGHDRSZ() ) { + TRACE_DEBUG(INFO, "Invalid message length (%d)", msglen ); + return EBADMSG; + } /* Create a new object */ CHECK_MALLOC( new = malloc (sizeof(struct msg)) );