fix: Fix potential array out-of-bounds in DHT random node retrieval.

It can't happen in almost every reality, except when the RNG is fairly broken and doesn't add 2 fake DHT friends on startup. Still, this code should be defensive and never index outside `num_friends` elements.
TokTok · Apr 10, 2022 · 565196f · 565196f
1 parent 60b71ad
commit 565196f
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 2 deletions.
diff --git a/other/bootstrap_daemon/docker/tox-bootstrapd.sha256 b/other/bootstrap_daemon/docker/tox-bootstrapd.sha256
@@ -1 +1 @@
-624c610327a1288eb58196fb0e93d98d5a3c01ad86835799b90c1936fcbbc156  /usr/local/bin/tox-bootstrapd
+bded6f7ca320d8dfcb123a02c2c06aa9615b0e29e1d1d5b33b94bf88e85524d3  /usr/local/bin/tox-bootstrapd
diff --git a/toxcore/DHT.c b/toxcore/DHT.c
@@ -2602,7 +2602,7 @@ uint16_t randfriends_nodes(const DHT *dht, Node_format *nodes, uint16_t max_num)
     const uint32_t r = random_range_u32(dht->rng, dht->num_friends - DHT_FAKE_FRIEND_NUMBER);
     uint16_t count = 0;
 
-    for (size_t i = 0; i < DHT_FAKE_FRIEND_NUMBER; ++i) {
+    for (uint32_t i = 0; i < DHT_FAKE_FRIEND_NUMBER && i < dht->num_friends; ++i) {
         count += list_nodes(dht->rng, dht->friends_list[r + i].client_list,
                             MAX_FRIEND_CLIENTS, dht->cur_time,
                             nodes + count, max_num - count);
@@ -2766,6 +2766,12 @@ DHT *new_dht(const Logger *log, const Random *rng, const Network *ns, Mono_Time
         }
     }
 
+    if (dht->num_friends != DHT_FAKE_FRIEND_NUMBER) {
+        LOGGER_ERROR(log, "the RNG provided seems to be broken: it generated the same keypair twice");
+        kill_dht(dht);
+        return nullptr;
+    }
+
     return dht;
 }
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		624c610327a1288eb58196fb0e93d98d5a3c01ad86835799b90c1936fcbbc156 /usr/local/bin/tox-bootstrapd
		bded6f7ca320d8dfcb123a02c2c06aa9615b0e29e1d1d5b33b94bf88e85524d3 /usr/local/bin/tox-bootstrapd