diff options
| author | fanquake <fanquake@gmail.com> | 2023-10-30 14:26:25 +0100 |
|---|---|---|
| committer | fanquake <fanquake@gmail.com> | 2023-10-30 14:44:40 +0100 |
| commit | ec5116ae14d9b3ae8efac58c93718d42361515a0 (patch) | |
| tree | 2ec0d7456c6ddfc6bca3325e3b729a5db96e7e0b /src/i2p.cpp | |
| parent | a3670b227333e8d1a50759a4dd496c2f54f98fa6 (diff) | |
| parent | 5cf4d266d9b1e7bd9394e7581398de5bc540ae99 (diff) | |
| download | bitcoin-ec5116ae14d9b3ae8efac58c93718d42361515a0.tar.xz | |
Merge bitcoin/bitcoin#28695: net: Sanity check private keys received from SAM proxy
5cf4d266d9b1e7bd9394e7581398de5bc540ae99 [test] Test i2p private key constraints (Vasil Dimov)
cf70a8d56510a5f07eff0fd773184cae14b2dcc9 [net] Check i2p private key constraints (dergoegge)
Pull request description:
Not sanity checking can lead to crashes or worse:
```
==1715589==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6140000055c2 at pc 0x5622ed66e7ad bp 0x7ffee547a2c0 sp 0x7ffee547a2b8
READ of size 2 at 0x6140000055c2 thread T0 (b-test)
#0 0x5622ed66e7ac in memcpy include/bits/string_fortified.h:29:10
#1 0x5622ed66e7ac in i2p::sam::Session::MyDestination() const src/i2p.cpp:362:5
#2 0x5622ed662e46 in i2p::sam::Session::CreateIfNotCreatedAlready() src/i2p.cpp:414:40
#3 0x5622ed6619f2 in i2p::sam::Session::Listen(i2p::Connection&) src/i2p.cpp:143:9
```
ACKs for top commit:
maflcko:
code lgtm ACK 5cf4d266d9b1e7bd9394e7581398de5bc540ae99
stickies-v:
re-ACK 5cf4d266d9b1e7bd9394e7581398de5bc540ae99
vasild:
ACK 5cf4d266d9b1e7bd9394e7581398de5bc540ae99
Tree-SHA512: 3de3bd396538fa619de67957b9c8a58011ab911f0f51097c387e730c13908278b7322aa3357051fb245a20b15bef34b0e9fadcb1eff8ad751139d2aa634c78ad
Diffstat (limited to 'src/i2p.cpp')
| -rw-r--r-- | src/i2p.cpp | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/src/i2p.cpp b/src/i2p.cpp index 05a5dde396..685b43ba18 100644 --- a/src/i2p.cpp +++ b/src/i2p.cpp @@ -384,11 +384,26 @@ Binary Session::MyDestination() const static constexpr size_t CERT_LEN_POS = 385; uint16_t cert_len; + + if (m_private_key.size() < CERT_LEN_POS + sizeof(cert_len)) { + throw std::runtime_error(strprintf("The private key is too short (%d < %d)", + m_private_key.size(), + CERT_LEN_POS + sizeof(cert_len))); + } + memcpy(&cert_len, &m_private_key.at(CERT_LEN_POS), sizeof(cert_len)); cert_len = be16toh(cert_len); const size_t dest_len = DEST_LEN_BASE + cert_len; + if (dest_len > m_private_key.size()) { + throw std::runtime_error(strprintf("Certificate length (%d) designates that the private key should " + "be %d bytes, but it is only %d bytes", + cert_len, + dest_len, + m_private_key.size())); + } + return Binary{m_private_key.begin(), m_private_key.begin() + dest_len}; } |