Changeset 1403:6a35c5470ef4 in freeDiameter for libfdproto

Timestamp:

Jul 7, 2020, 2:24:48 AM (4 years ago)

Author:

Sebastien Decugis <sdecugis@freediameter.net>

Branch:

default

Phase:

public

Message:

Security fix: check invalid incoming data

File:

• libfdproto/messages.c (modified) (2 diffs)

libfdproto/messages.c

@@ -1947 +1947 @@
                 }
                 
+                /* Check the length is valid */
+                if ( avp->avp_public.avp_len < GETAVPHDRSZ(avp->avp_public.avp_flags) ) {
+                        TRACE_DEBUG(INFO, "Invalid AVP size %d",
+                                        avp->avp_public.avp_len);
+                        free(avp);
+                        return EBADMSG;
+                }
+
                 /* Check there is enough remaining data in the buffer */
                 if ( (avp->avp_public.avp_len > GETAVPHDRSZ(avp->avp_public.avp_flags))
@@ -1992 +2000 @@
                 TRACE_DEBUG(INFO, "Truncated message (%zd / %d)", buflen, msglen );
                 return EBADMSG; 
+        }
+        if ( msglen < GETMSGHDRSZ() ) {
+                TRACE_DEBUG(INFO, "Invalid message length (%d)", msglen );
+                return EBADMSG;
         }