Fix some more (read-only) buffer overflows.

ac3261f6 · Juliusz Chroboczek · e8669a93 · ac3261f6 · ac3261f6
Commit ac3261f6 authored Jul 22, 2019 by Juliusz Chroboczek
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 5 deletions

hmac.c hmac.c +3 -3

message.c message.c +2 -2

No files found.
--- a/hmac.c
+++ b/hmac.c
@@ -274,13 +274,13 @@ check_hmac(const unsigned char *packet, int packetlen, int bodylen,
    debugf("check_hmac %s -> %s\n",
 	   format_address(src), format_address(dst));
    while(i < packetlen) {
-	if(i + 1 > packetlen) {
+	if(i + 2 > packetlen) {
            fprintf(stderr, "Received truncated message.\n");
            break;
        }
-        len = packet[i+1];
+        len = packet[i + 1];
        if(packet[i] == MESSAGE_HMAC) {
-	    if(i + len > packetlen) {
+	    if(i + len + 2 > packetlen) {
 	        fprintf(stderr, "Received truncated message.\n");
 		return -1;
 	    }

--- a/message.c
+++ b/message.c
@@ -459,12 +459,12 @@ preparse_packet(const unsigned char *packet, int bodylen,
 	    i++;
 	    continue;
 	}
-	if(i + 1 > bodylen) {
+	if(i + 2 > bodylen) {
            fprintf(stderr, "Received truncated message.\n");
            break;
        }
 	len = message[1];
-	if(i + len > bodylen) {
+	if(i + len + 2 > bodylen) {
            fprintf(stderr, "Received truncated message.\n");
            break;
        }