From 04a52327d46bc09ba74c0232b4f7438bc84db593 Mon Sep 17 00:00:00 2001
From: Pekka Riikonen <priikone@silcnet.org>
Date: Fri, 3 Oct 2003 07:58:18 +0000
Subject: [PATCH] 	Better error checking added.

---
 lib/silccore/silcargument.c | 7 ++-----
 lib/silccore/silcattrs.c    | 4 ++--
 lib/silccore/silcauth.c     | 2 +-
 lib/silccore/silcchannel.c  | 5 +++--
 4 files changed, 8 insertions(+), 10 deletions(-)

diff --git a/lib/silccore/silcargument.c b/lib/silccore/silcargument.c
index d492ed74..9c088b51 100644
--- a/lib/silccore/silcargument.c
+++ b/lib/silccore/silcargument.c
@@ -71,15 +71,12 @@ SilcArgumentPayload silc_argument_payload_parse(const unsigned char *payload,
 			       SILC_STR_UI_SHORT(&p_len),
 			       SILC_STR_UI_CHAR(&arg_type),
 			       SILC_STR_END);
-    if (ret == -1)
+    if (ret == -1 || p_len > buffer.len - 3)
       goto err;
-    
+
     newp->argv_lens[i] = p_len;
     newp->argv_types[i] = arg_type;
 
-    if (p_len > buffer.len - 3)
-      break;
-    
     /* Get argument data */
     silc_buffer_pull(&buffer, 3);
     ret = silc_buffer_unformat(&buffer,
diff --git a/lib/silccore/silcattrs.c b/lib/silccore/silcattrs.c
index 2ba0117b..7af8f6a0 100644
--- a/lib/silccore/silcattrs.c
+++ b/lib/silccore/silcattrs.c
@@ -299,7 +299,7 @@ SilcDList silc_attribute_payload_parse(const unsigned char *payload,
     if (ret == -1)
       goto err;
 
-    if (newp->data_len > buffer.len) {
+    if (newp->data_len > buffer.len - 4) {
       SILC_LOG_ERROR(("Incorrect attribute payload in list"));
       goto err;
     }
@@ -619,7 +619,7 @@ bool silc_attribute_get_object(SilcAttributePayload payload,
 	silc_buffer_unformat(&buffer,
 			     SILC_STR_UI16_NSTRING_ALLOC(&pk->type, &len),
 			     SILC_STR_END);
-      if (res == -1)
+      if (res == -1 || len > buffer.len - 2)
 	break;
       pk->data = silc_memdup(payload->data + 2 + len,
 			     payload->data_len - 2 - len);
diff --git a/lib/silccore/silcauth.c b/lib/silccore/silcauth.c
index 9c603df4..b6bfec6d 100644
--- a/lib/silccore/silcauth.c
+++ b/lib/silccore/silcauth.c
@@ -510,7 +510,7 @@ silc_key_agreement_payload_parse(const unsigned char *payload,
 							 &newp->hostname_len),
 			     SILC_STR_UI_INT(&newp->port),
 			     SILC_STR_END);
-  if (ret == -1) {
+  if (ret == -1 || newp->hostname_len > buffer.len - 6) {
     silc_free(newp);
     return NULL;
   }
diff --git a/lib/silccore/silcchannel.c b/lib/silccore/silcchannel.c
index 5c83bbb4..aa316378 100644
--- a/lib/silccore/silcchannel.c
+++ b/lib/silccore/silcchannel.c
@@ -109,8 +109,9 @@ SilcDList silc_channel_payload_parse_list(const unsigned char *payload,
     if (ret == -1)
       goto err;
 
-    if ((newp->name_len < 1 || newp->name_len > buffer.len) ||
-	(newp->id_len < 1 || newp->id_len > buffer.len)) {
+    if ((newp->name_len < 1 || newp->name_len > buffer.len - 8) ||
+	(newp->id_len < 1 || newp->id_len > buffer.len - 8) ||
+	(newp->id_len + newp->name_len > buffer.len - 8)) {
       SILC_LOG_ERROR(("Incorrect channel payload in packet, packet dropped"));
       goto err;
     }
-- 
2.43.0