summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDimitri Staessens <dimitri@ouroboros.rocks>2026-06-21 13:46:01 +0200
committerSander Vrijders <sander@ouroboros.rocks>2026-06-29 08:33:00 +0200
commita4cb64c2dea5d1dc4d0f915c160513d0d751a8c4 (patch)
treea3c45d5286f11e802f346b1487960e5844c67034
parent110d3ed8526197bd866e02199bfeae7569d73d8d (diff)
downloadouroboros-a4cb64c2dea5d1dc4d0f915c160513d0d751a8c4.tar.gz
ouroboros-a4cb64c2dea5d1dc4d0f915c160513d0d751a8c4.zip
lib: Bound crc_check against short packets
Reject a packet shorter than head_skip + CRCLEN before computing the CRC, instead of hashing over an underflowed length when the buffer is too small to hold the trailer. Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks> Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
-rw-r--r--src/lib/dev.c10
1 files changed, 8 insertions, 2 deletions
diff --git a/src/lib/dev.c b/src/lib/dev.c
index 88d6c5f6..845d07a8 100644
--- a/src/lib/dev.c
+++ b/src/lib/dev.c
@@ -347,8 +347,14 @@ static int crc_check(struct ssm_pk_buff * spb,
size_t head_skip)
{
uint32_t crc;
- uint8_t * head = ssm_pk_buff_head(spb) + head_skip;
- uint8_t * tail = ssm_pk_buff_pop_tail(spb, CRCLEN);
+ uint8_t * head;
+ uint8_t * tail;
+
+ if (ssm_pk_buff_len(spb) < head_skip + CRCLEN)
+ return 1;
+
+ head = ssm_pk_buff_head(spb) + head_skip;
+ tail = ssm_pk_buff_pop_tail(spb, CRCLEN);
mem_hash(HASH_CRC32, &crc, head, tail - head);