if (ret == -1)
goto err;
- if ((newp->name_len < 1 || newp->name_len > buffer.len) ||
- (newp->id_len < 1 || newp->id_len > buffer.len)) {
+ if ((newp->name_len < 1 || newp->name_len > buffer.len - 8) ||
+ (newp->id_len < 1 || newp->id_len > buffer.len - 8) ||
+ (newp->id_len + newp->name_len > buffer.len - 8)) {
SILC_LOG_ERROR(("Incorrect channel payload in packet, packet dropped"));
goto err;
}
/* Check the MAC of the message */
SILC_LOG_DEBUG(("Checking channel message MACs"));
- silc_hmac_make(hmac, dst, (data_len - iv_len - mac_len), mac2, &mac_len);
+ silc_hmac_init(hmac);
+ silc_hmac_update(hmac, dst, (data_len - iv_len - mac_len));
+ silc_hmac_update(hmac, data + (data_len - iv_len), iv_len);
+ silc_hmac_final(hmac, mac2, &mac_len);
if (memcmp(mac, mac2, mac_len)) {
+#if 1
+ /* Backwards support for old mac checking, remove in 1.0 */
+ silc_hmac_make(hmac, dst, (data_len - iv_len - mac_len), mac2, &mac_len);
+ if (memcmp(mac, mac2, mac_len)) {
+#endif
+
SILC_LOG_DEBUG(("Channel message MACs does not match"));
silc_free(dst);
return FALSE;
+#if 1
+ }
+#endif
}
SILC_LOG_DEBUG(("MAC is Ok"));
if (ret == -1)
goto err;
- if (newp->data_len > buffer.len) {
+ if ((newp->data_len > buffer.len - 6 - mac_len - iv_len) ||
+ (newp->pad_len + newp->data_len > buffer.len - 6 - mac_len - iv_len)) {
SILC_LOG_ERROR(("Incorrect channel message payload in packet, "
"packet dropped"));
goto err;
SilcBufferStruct buf;
/* Compute the MAC of the channel message data */
- silc_hmac_make(hmac, data, data_len, mac, &mac_len);
+ silc_hmac_init(hmac);
+ silc_hmac_update(hmac, data, data_len);
+ silc_hmac_update(hmac, iv, iv_len);
+ silc_hmac_final(hmac, mac, &mac_len);
/* Put rest of the data to the payload */
silc_buffer_set(&buf, data, true_len);
if (ret == -1)
goto err;
- if (newp->id_len < 1 || newp->key_len < 1 || newp->cipher_len < 1) {
+ if (newp->id_len < 1 || newp->key_len < 1 || newp->cipher_len < 1 ||
+ newp->id_len + newp->cipher_len + newp->key_len > buffer.len - 6) {
SILC_LOG_ERROR(("Incorrect channel key payload in packet"));
goto err;
}