]> git.ipfire.org Git - thirdparty/FORT-validator.git/commitdiff
projects / thirdparty / FORT-validator.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 0da59d8)
Truncate erroneos PDU if incomplete
authorAlberto Leiva Popper <ydahhrk@gmail.com>
Tue, 24 Oct 2023 18:52:09 +0000 (12:52 -0600)
committerAlberto Leiva Popper <ydahhrk@gmail.com>
Tue, 24 Oct 2023 19:49:31 +0000 (13:49 -0600)
This can happen if eg. the client parrots length 512 in header, but only
sends 8 bytes.

Fort was trying to assemble a 512 length erroneous PDU using an 8 byte
buffer, and therefore leaking raw memory contents to the client.

src/rtr/pdu_sender.c patch | blob | blame | history

diff --git a/src/rtr/pdu_sender.c b/src/rtr/pdu_sender.c
index 41d347a912177c9235fcdca70148fe3173ea83b0..10a5da6db091d3484669230ce8751cb24e075b7c 100644 (file)
--- a/src/rtr/pdu_sender.c
+++ b/src/rtr/pdu_sender.c
@@ -209,6 +209,7 @@ compute_error_pdu_len(struct rtr_buffer const *request)
               | (((unsigned int)(request->bytes[6])) <<  8)
               | (((unsigned int)(request->bytes[7]))      );
 
+       result = (result <= request->bytes_len) ? result : request->bytes_len;
        return (result <= RTRPDU_MAX_LEN) ? result : RTRPDU_MAX_LEN;
 }
 
Mirror of https://github.com/NICMx/FORT-validator.git