fix: Fix a stack overflow triggered by small DHT packets.

This isn't in production yet. It's in the new announce store code. The problem was that a negative plain_len was converted to unsigned, which made it a very large number.
TokTok · Apr 4, 2022 · a08e5f3 · a08e5f3
1 parent 9410262
commit a08e5f3
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 3 deletions.
diff --git a/other/bootstrap_daemon/docker/tox-bootstrapd.sha256 b/other/bootstrap_daemon/docker/tox-bootstrapd.sha256
@@ -1 +1 @@
-5796f74532156d61d5c715914b5013ae0544892f7d6dca237b1f6a828f49fc9c  /usr/local/bin/tox-bootstrapd
+866b75eabc4336c0998778fae2e55e845d853eaeb8cf7af361b749cb48d6d08e  /usr/local/bin/tox-bootstrapd
diff --git a/toxcore/DHT.c b/toxcore/DHT.c
@@ -1079,7 +1079,7 @@ static int handle_data_search_response(void *object, const IP_Port *source,
 
     const int32_t plain_len = (int32_t)length - (1 + CRYPTO_PUBLIC_KEY_SIZE + CRYPTO_NONCE_SIZE + CRYPTO_MAC_SIZE);
 
-    if (plain_len < CRYPTO_PUBLIC_KEY_SIZE + sizeof(uint64_t)) {
+    if (plain_len < (int32_t)(CRYPTO_PUBLIC_KEY_SIZE + sizeof(uint64_t))) {
         return 1;
     }
 

diff --git a/toxcore/announce.c b/toxcore/announce.c
@@ -544,7 +544,7 @@ static int create_reply(Announcements *announce, const IP_Port *source,
 {
     const int plain_len = (int)length - (1 + CRYPTO_PUBLIC_KEY_SIZE + CRYPTO_NONCE_SIZE + CRYPTO_MAC_SIZE);
 
-    if (plain_len < sizeof(uint64_t)) {
+    if (plain_len < (int)sizeof(uint64_t)) {
         return -1;
     }
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		5796f74532156d61d5c715914b5013ae0544892f7d6dca237b1f6a828f49fc9c /usr/local/bin/tox-bootstrapd
		866b75eabc4336c0998778fae2e55e845d853eaeb8cf7af361b749cb48d6d08e /usr/local/bin/tox-bootstrapd