diff options
| author | Dimitri Staessens <dimitri@ouroboros.rocks> | 2026-06-21 13:46:01 +0200 |
|---|---|---|
| committer | Sander Vrijders <sander@ouroboros.rocks> | 2026-06-29 08:33:00 +0200 |
| commit | a4cb64c2dea5d1dc4d0f915c160513d0d751a8c4 (patch) | |
| tree | a3c45d5286f11e802f346b1487960e5844c67034 | |
| parent | 110d3ed8526197bd866e02199bfeae7569d73d8d (diff) | |
| download | ouroboros-a4cb64c2dea5d1dc4d0f915c160513d0d751a8c4.tar.gz ouroboros-a4cb64c2dea5d1dc4d0f915c160513d0d751a8c4.zip | |
lib: Bound crc_check against short packets
Reject a packet shorter than head_skip + CRCLEN before computing the
CRC, instead of hashing over an underflowed length when the buffer is
too small to hold the trailer.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
| -rw-r--r-- | src/lib/dev.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/src/lib/dev.c b/src/lib/dev.c index 88d6c5f6..845d07a8 100644 --- a/src/lib/dev.c +++ b/src/lib/dev.c @@ -347,8 +347,14 @@ static int crc_check(struct ssm_pk_buff * spb, size_t head_skip) { uint32_t crc; - uint8_t * head = ssm_pk_buff_head(spb) + head_skip; - uint8_t * tail = ssm_pk_buff_pop_tail(spb, CRCLEN); + uint8_t * head; + uint8_t * tail; + + if (ssm_pk_buff_len(spb) < head_skip + CRCLEN) + return 1; + + head = ssm_pk_buff_head(spb) + head_skip; + tail = ssm_pk_buff_pop_tail(spb, CRCLEN); mem_hash(HASH_CRC32, &crc, head, tail - head); |
