Changes in libfdproto/messages.c [1539:d25ce064c667:1549:19ab8ac08a36] in freeDiameter

File:

• libfdproto/messages.c (modified) (2 diffs)

libfdproto/messages.c

@@ -1947 +1947 @@
                 }
                 
+                /* Check the length is valid */
+                if ( avp->avp_public.avp_len < GETAVPHDRSZ(avp->avp_public.avp_flags) ) {
+                        TRACE_DEBUG(INFO, "Invalid AVP size %d",
+                                        avp->avp_public.avp_len);
+                        free(avp);
+                        return EBADMSG;
+                }
+
                 /* Check there is enough remaining data in the buffer */
                 if ( (avp->avp_public.avp_len > GETAVPHDRSZ(avp->avp_public.avp_flags))
@@ -1992 +2000 @@
                 TRACE_DEBUG(INFO, "Truncated message (%zd / %d)", buflen, msglen );
                 return EBADMSG; 
+        }
+        if ( msglen < GETMSGHDRSZ() ) {
+                TRACE_DEBUG(INFO, "Invalid message length (%d)", msglen );
+                return EBADMSG;
         }