From 75695e6416dce7f4eb2ba42d78e87e7f79e41c51 Mon Sep 17 00:00:00 2001 From: Christian Grothoff Date: Sun, 21 Apr 2024 09:28:33 +0200 Subject: fix #8659 in anastasis.git --- src/lib/anastasis_recovery.c | 119 +++++++++++++++++++++++++++++-------------- 1 file changed, 80 insertions(+), 39 deletions(-) (limited to 'src/lib/anastasis_recovery.c') diff --git a/src/lib/anastasis_recovery.c b/src/lib/anastasis_recovery.c index f164c93..41f35a5 100644 --- a/src/lib/anastasis_recovery.c +++ b/src/lib/anastasis_recovery.c @@ -782,13 +782,11 @@ policy_lookup_cb (void *cls, json_dumpf (recovery_document, stderr, 0); - json_decref (recovery_document); r->csc (r->csc_cls, ANASTASIS_RS_POLICY_MALFORMED_JSON, NULL, 0); - ANASTASIS_recovery_abort (r); - return; + goto cleanup; } if (NULL != secret_name) { @@ -799,19 +797,37 @@ policy_lookup_cb (void *cls, } } + if ( (json_array_size (esc_methods) > UINT_MAX) || + (json_array_size (dec_policies) > UINT_MAX) ) + { + GNUNET_break_op (0); + r->csc (r->csc_cls, + ANASTASIS_RS_POLICY_DOWNLOAD_TOO_BIG, + NULL, + 0); + goto cleanup; + } + r->ri.version = dd->details.ok.version; - r->ri.cs_len = json_array_size (esc_methods); - r->ri.dps_len = json_array_size (dec_policies); - r->ri.dps = GNUNET_new_array (r->ri.dps_len, - struct ANASTASIS_DecryptionPolicy *); - r->dps = GNUNET_new_array (r->ri.dps_len, - struct DecryptionPolicy); - r->solved_challenges = GNUNET_new_array (r->ri.cs_len, - struct ANASTASIS_Challenge *); - r->ri.cs = GNUNET_new_array (r->ri.cs_len, - struct ANASTASIS_Challenge *); - r->cs = GNUNET_new_array (r->ri.cs_len, - struct ANASTASIS_Challenge); + r->ri.cs_len + = (unsigned int) json_array_size (esc_methods); + r->ri.dps_len + = (unsigned int) json_array_size (dec_policies); + r->ri.dps + = GNUNET_new_array (r->ri.dps_len, + struct ANASTASIS_DecryptionPolicy *); + r->dps + = GNUNET_new_array (r->ri.dps_len, + struct DecryptionPolicy); + r->solved_challenges + = GNUNET_new_array (r->ri.cs_len, + struct ANASTASIS_Challenge *); + r->ri.cs + = GNUNET_new_array (r->ri.cs_len, + struct ANASTASIS_Challenge *); + r->cs + = GNUNET_new_array (r->ri.cs_len, + struct ANASTASIS_Challenge); for (unsigned int i = 0; i < r->ri.cs_len; i++) { struct ANASTASIS_Challenge *cs = &r->cs[i]; @@ -849,9 +865,7 @@ policy_lookup_cb (void *cls, ANASTASIS_RS_POLICY_MALFORMED_JSON, NULL, 0); - ANASTASIS_recovery_abort (r); - json_decref (recovery_document); - return; + goto cleanup; } cs->url = GNUNET_strdup (url); cs->type = GNUNET_strdup (escrow_type); @@ -890,15 +904,23 @@ policy_lookup_cb (void *cls, ANASTASIS_RS_POLICY_MALFORMED_JSON, NULL, 0); - ANASTASIS_recovery_abort (r); - json_decref (recovery_document); - return; + goto cleanup; } GNUNET_assert (NULL != dp->emk); GNUNET_assert (dp->emk_size > 0); - dp->pub_details.challenges_length = json_array_size (uuids); + if (json_array_size (uuids) > UINT_MAX) + { + GNUNET_break_op (0); + r->csc (r->csc_cls, + ANASTASIS_RS_POLICY_MALFORMED_JSON, + NULL, + 0); + goto cleanup; + } + dp->pub_details.challenges_length + = (unsigned int) json_array_size (uuids); dp->pub_details.challenges = GNUNET_new_array (dp->pub_details.challenges_length, struct ANASTASIS_Challenge *); @@ -921,9 +943,7 @@ policy_lookup_cb (void *cls, ANASTASIS_RS_POLICY_MALFORMED_JSON, NULL, 0); - ANASTASIS_recovery_abort (r); - json_decref (recovery_document); - return; + goto cleanup; } for (unsigned int i = 0; iri.cs_len; i++) { @@ -942,15 +962,17 @@ policy_lookup_cb (void *cls, ANASTASIS_RS_POLICY_MALFORMED_JSON, NULL, 0); - ANASTASIS_recovery_abort (r); - json_decref (recovery_document); - return; + goto cleanup; } } } r->pc (r->pc_cls, &r->ri); json_decref (recovery_document); + return; +cleanup: + ANASTASIS_recovery_abort (r); + json_decref (recovery_document); } @@ -1126,16 +1148,23 @@ parse_cs_array (struct ANASTASIS_Recovery *r, const json_t *cs_arr) { json_t *cs; - unsigned int n_index; + size_t n_index; if (! json_is_array (cs_arr)) { GNUNET_break_op (0); return GNUNET_SYSERR; } - r->ri.cs_len = json_array_size (cs_arr); - r->solved_challenges = GNUNET_new_array (r->ri.cs_len, - struct ANASTASIS_Challenge *); + if (json_array_size (cs_arr) > UINT_MAX) + { + GNUNET_break_op (0); + return GNUNET_SYSERR; + } + r->ri.cs_len + = (unsigned int) json_array_size (cs_arr); + r->solved_challenges + = GNUNET_new_array (r->ri.cs_len, + struct ANASTASIS_Challenge *); r->ri.cs = GNUNET_new_array (r->ri.cs_len, struct ANASTASIS_Challenge *); r->cs = GNUNET_new_array (r->ri.cs_len, @@ -1212,14 +1241,20 @@ parse_dps_array (struct ANASTASIS_Recovery *r, const json_t *dps_arr) { json_t *dps; - unsigned int n_index; + size_t n_index; if (! json_is_array (dps_arr)) { GNUNET_break_op (0); return GNUNET_SYSERR; } - r->ri.dps_len = json_array_size (dps_arr); + if (json_array_size (dps_arr) > UINT_MAX) + { + GNUNET_break_op (0); + return GNUNET_SYSERR; + } + r->ri.dps_len + = (unsigned int) json_array_size (dps_arr); r->dps = GNUNET_new_array (r->ri.dps_len, struct DecryptionPolicy); r->ri.dps = GNUNET_new_array (r->ri.dps_len, @@ -1259,14 +1294,20 @@ parse_dps_array (struct ANASTASIS_Recovery *r, } GNUNET_assert (NULL != dp->emk); GNUNET_assert (dp->emk_size > 0); - dp->pub_details.challenges_length = json_array_size (challenges); - dp->pub_details.challenges = GNUNET_new_array ( - dp->pub_details.challenges_length, - struct ANASTASIS_Challenge *); + if (json_array_size (challenges) > UINT_MAX) + { + GNUNET_break_op (0); + return GNUNET_SYSERR; + } + dp->pub_details.challenges_length + = (unsigned int) json_array_size (challenges); + dp->pub_details.challenges + = GNUNET_new_array (dp->pub_details.challenges_length, + struct ANASTASIS_Challenge *); { json_t *challenge; - unsigned int c_index; + size_t c_index; json_array_foreach (challenges, c_index, challenge) { struct ANASTASIS_CRYPTO_TruthUUIDP uuid; -- cgit v1.2.3