Commit ac3261f6 authored by Juliusz Chroboczek's avatar Juliusz Chroboczek

Fix some more (read-only) buffer overflows.

parent e8669a93
...@@ -274,13 +274,13 @@ check_hmac(const unsigned char *packet, int packetlen, int bodylen, ...@@ -274,13 +274,13 @@ check_hmac(const unsigned char *packet, int packetlen, int bodylen,
debugf("check_hmac %s -> %s\n", debugf("check_hmac %s -> %s\n",
format_address(src), format_address(dst)); format_address(src), format_address(dst));
while(i < packetlen) { while(i < packetlen) {
if(i + 1 > packetlen) { if(i + 2 > packetlen) {
fprintf(stderr, "Received truncated message.\n"); fprintf(stderr, "Received truncated message.\n");
break; break;
} }
len = packet[i+1]; len = packet[i + 1];
if(packet[i] == MESSAGE_HMAC) { if(packet[i] == MESSAGE_HMAC) {
if(i + len > packetlen) { if(i + len + 2 > packetlen) {
fprintf(stderr, "Received truncated message.\n"); fprintf(stderr, "Received truncated message.\n");
return -1; return -1;
} }
......
...@@ -459,12 +459,12 @@ preparse_packet(const unsigned char *packet, int bodylen, ...@@ -459,12 +459,12 @@ preparse_packet(const unsigned char *packet, int bodylen,
i++; i++;
continue; continue;
} }
if(i + 1 > bodylen) { if(i + 2 > bodylen) {
fprintf(stderr, "Received truncated message.\n"); fprintf(stderr, "Received truncated message.\n");
break; break;
} }
len = message[1]; len = message[1];
if(i + len > bodylen) { if(i + len + 2 > bodylen) {
fprintf(stderr, "Received truncated message.\n"); fprintf(stderr, "Received truncated message.\n");
break; break;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment