From 5331ad0506fa1e13a70613309532588b2cc74bb5 Mon Sep 17 00:00:00 2001 From: Kaz Wesley Date: Wed, 7 Nov 2018 12:39:44 -0800 Subject: fix a deserialization overflow edge case A specially-constructed BlockTransactionsRequest can overflow in deserialization in a way that is currently harmless. Github-Pull: #14685 Rebased-From: 6bed4b374daf26233e96fa7863d4324a5bfa99c2 --- src/blockencodings.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'src/blockencodings.h') diff --git a/src/blockencodings.h b/src/blockencodings.h index fad1f56f54..4bfe538250 100644 --- a/src/blockencodings.h +++ b/src/blockencodings.h @@ -52,12 +52,12 @@ public: } } - uint16_t offset = 0; + int32_t offset = 0; for (size_t j = 0; j < indexes.size(); j++) { - if (uint64_t(indexes[j]) + uint64_t(offset) > std::numeric_limits::max()) + if (int32_t(indexes[j]) + offset > std::numeric_limits::max()) throw std::ios_base::failure("indexes overflowed 16 bits"); indexes[j] = indexes[j] + offset; - offset = indexes[j] + 1; + offset = int32_t(indexes[j]) + 1; } } else { for (size_t i = 0; i < indexes.size(); i++) { -- cgit v1.2.3 From 2f9fd2932164eb86005e91cffcc66d2d79322db0 Mon Sep 17 00:00:00 2001 From: Kaz Wesley Date: Tue, 13 Nov 2018 12:40:22 -0800 Subject: disallow oversized CBlockHeaderAndShortTxIDs Otherwise we'd reply with a bogus BlockTransactionsRequest trying to request indexes with overflowed deltas. Github-Pull: #14685 Rebased-From: b08af10fb299dc3fdcd1f022619fb112c72e5d8e --- src/blockencodings.h | 3 +++ 1 file changed, 3 insertions(+) (limited to 'src/blockencodings.h') diff --git a/src/blockencodings.h b/src/blockencodings.h index 4bfe538250..0c2b83ebcf 100644 --- a/src/blockencodings.h +++ b/src/blockencodings.h @@ -186,6 +186,9 @@ public: READWRITE(prefilledtxn); + if (BlockTxCount() > std::numeric_limits::max()) + throw std::ios_base::failure("indexes overflowed 16 bits"); + if (ser_action.ForRead()) FillShortTxIDSelector(); } -- cgit v1.2.3