[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] r37477 - gnunet/src/testbed
|
From: |
gnunet |
|
Subject: |
[GNUnet-SVN] r37477 - gnunet/src/testbed |
|
Date: |
Thu, 7 Jul 2016 10:55:26 +0200 |
Author: harsha
Date: 2016-07-07 10:55:26 +0200 (Thu, 07 Jul 2016)
New Revision: 37477
Modified:
gnunet/src/testbed/testbed_api.c
Log:
introduce more message parsing checks
These checks may provide hints for Coverity.
Modified: gnunet/src/testbed/testbed_api.c
===================================================================
--- gnunet/src/testbed/testbed_api.c 2016-07-06 23:09:59 UTC (rev 37476)
+++ gnunet/src/testbed/testbed_api.c 2016-07-07 08:55:26 UTC (rev 37477)
@@ -1242,16 +1242,43 @@
emsg = NULL;
barrier = NULL;
msize = ntohs (msg->header.size);
+ if (msize <= sizeof (struct GNUNET_TESTBED_BarrierStatusMsg))
+ {
+ GNUNET_break_op (0);
+ goto cleanup;
+ }
name = msg->data;
name_len = ntohs (msg->name_len);
+ if (name_len >= //name_len is strlen(barrier_name)
+ (msize - ((sizeof msg->header) + sizeof (msg->status)) ) )
+ {
+ GNUNET_break_op (0);
+ goto cleanup;
+ }
+ if ('\0' != name[name_len])
+ {
+ GNUNET_break_op (0);
+ goto cleanup;
+ }
LOG_DEBUG ("Received BARRIER_STATUS msg\n");
status = ntohs (msg->status);
if (GNUNET_TESTBED_BARRIERSTATUS_ERROR == status)
{
status = -1;
- emsg_len = msize - (sizeof (struct GNUNET_TESTBED_BarrierStatusMsg) +
name_len
- + 1);
- emsg = GNUNET_malloc (emsg_len + 1);
+ //unlike name_len, emsg_len includes the trailing zero
+ emsg_len = msize - (sizeof (struct GNUNET_TESTBED_BarrierStatusMsg)
+ + (name_len + 1));
+ if (0 == emsg_len)
+ {
+ GNUNET_break_op (0);
+ goto cleanup;
+ }
+ if ('\0' != (msg->data[(name_len + 1) + (emsg_len - 1)]))
+ {
+ GNUNET_break_op (0);
+ goto cleanup;
+ }
+ emsg = GNUNET_malloc (emsg_len);
memcpy (emsg,
msg->data + name_len + 1,
emsg_len);
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [GNUnet-SVN] r37477 - gnunet/src/testbed,
gnunet <=