Commit 4c462e6f authored by Rob Pike's avatar Rob Pike

gob: protect against invalid message length

Fixes #2301.

R=golang-dev, gri
CC=golang-dev
https://golang.org/cl/5134048
parent 6c230fbc
...@@ -58,6 +58,8 @@ func (dec *Decoder) recvType(id typeId) { ...@@ -58,6 +58,8 @@ func (dec *Decoder) recvType(id typeId) {
dec.wireType[id] = wire dec.wireType[id] = wire
} }
var errBadCount = gobError{os.NewError("invalid message length")}
// recvMessage reads the next count-delimited item from the input. It is the converse // recvMessage reads the next count-delimited item from the input. It is the converse
// of Encoder.writeMessage. It returns false on EOF or other error reading the message. // of Encoder.writeMessage. It returns false on EOF or other error reading the message.
func (dec *Decoder) recvMessage() bool { func (dec *Decoder) recvMessage() bool {
...@@ -67,6 +69,10 @@ func (dec *Decoder) recvMessage() bool { ...@@ -67,6 +69,10 @@ func (dec *Decoder) recvMessage() bool {
dec.err = err dec.err = err
return false return false
} }
if nbytes >= 1<<31 {
dec.err = errBadCount
return false
}
dec.readMessage(int(nbytes)) dec.readMessage(int(nbytes))
return dec.err == nil return dec.err == nil
} }
......
...@@ -628,3 +628,13 @@ func TestSliceReusesMemory(t *testing.T) { ...@@ -628,3 +628,13 @@ func TestSliceReusesMemory(t *testing.T) {
} }
} }
} }
// Used to crash: negative count in recvMessage.
func TestBadCount(t *testing.T) {
b := []byte{0xfb, 0xa5, 0x82, 0x2f, 0xca, 0x1}
if err := NewDecoder(bytes.NewBuffer(b)).Decode(nil); err == nil {
t.Error("expected error from bad count")
} else if err.String() != errBadCount.String() {
t.Error("expected bad count error; got", err)
}
}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment