From: Alberto Leiva Popper <ydahhrk@gmail.com>
Date: Tue, 24 Oct 2023 18:52:09 +0000 (-0600)
Subject: Truncate erroneos PDU if incomplete
X-Git-Tag: 1.6.0~38
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4d5582d00857b9ec8426a46be9c1709c9fda5ac0;p=thirdparty%2FFORT-validator.git

Truncate erroneos PDU if incomplete

This can happen if eg. the client parrots length 512 in header, but only
sends 8 bytes.

Fort was trying to assemble a 512 length erroneous PDU using an 8 byte
buffer, and therefore leaking raw memory contents to the client.
---

diff --git a/src/rtr/pdu_sender.c b/src/rtr/pdu_sender.c
index 41d347a9..10a5da6d 100644
--- a/src/rtr/pdu_sender.c
+++ b/src/rtr/pdu_sender.c
@@ -209,6 +209,7 @@ compute_error_pdu_len(struct rtr_buffer const *request)
 	       | (((unsigned int)(request->bytes[6])) <<  8)
 	       | (((unsigned int)(request->bytes[7]))      );
 
+	result = (result <= request->bytes_len) ? result : request->bytes_len;
 	return (result <= RTRPDU_MAX_LEN) ? result : RTRPDU_MAX_LEN;
 }