gnunet

Main GNUnet Logic
Log | Files | Refs | Submodules | README | LICENSE
commit a57cb054a22bb7c4fd78457f15ed3802e20d21b4
parent c9fc239f277e0a3e0641a0e04067f28945079a3c
Author: Bart Polot <bart@net.in.tum.de>
Date:   Wed, 19 Aug 2015 10:53:50 +0000

- fix #3928: make sure accessed variables are below size threshold

Diffstat:

Msrc/cadet/gnunet-service-cadet_tunnel.c | 7++++++-


1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/cadet/gnunet-service-cadet_tunnel.c b/src/cadet/gnunet-service-cadet_tunnel.c
@@ -3134,7 +3134,7 @@ GCT_handle_encrypted (struct CadetTunnel *t,
      this loop may be unaligned, see util's MST for
      how to do this right. */
   off = 0;
-  while (off < decrypted_size)
+  while (off + sizeof (struct GNUNET_MessageHeader) < decrypted_size)
   {
     uint16_t msize;
 
@@ -3145,6 +3145,11 @@ GCT_handle_encrypted (struct CadetTunnel *t,
       GNUNET_break_op (0);
       return;
     }
+    if (off + msize < decrypted_size)
+    {
+      GNUNET_break_op (0);
+      return;
+    }
     handle_decrypted (t, msgh, GNUNET_SYSERR);
     off += msize;
   }