From 4d5582d00857b9ec8426a46be9c1709c9fda5ac0 Mon Sep 17 00:00:00 2001 From: Alberto Leiva Popper Date: Tue, 24 Oct 2023 12:52:09 -0600 Subject: [PATCH] Truncate erroneos PDU if incomplete This can happen if eg. the client parrots length 512 in header, but only sends 8 bytes. Fort was trying to assemble a 512 length erroneous PDU using an 8 byte buffer, and therefore leaking raw memory contents to the client. --- src/rtr/pdu_sender.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/rtr/pdu_sender.c b/src/rtr/pdu_sender.c index 41d347a9..10a5da6d 100644 --- a/src/rtr/pdu_sender.c +++ b/src/rtr/pdu_sender.c @@ -209,6 +209,7 @@ compute_error_pdu_len(struct rtr_buffer const *request) | (((unsigned int)(request->bytes[6])) << 8) | (((unsigned int)(request->bytes[7])) ); + result = (result <= request->bytes_len) ? result : request->bytes_len; return (result <= RTRPDU_MAX_LEN) ? result : RTRPDU_MAX_LEN; } -- 2.47.2