From 8c94186e5b81937b67ce0862c1f3e2cb1f484719 Mon Sep 17 00:00:00 2001
From: Pekka Riikonen <priikone@silcnet.org>
Date: Mon, 22 Apr 2002 09:05:19 +0000
Subject: [PATCH] 	updates

---
 doc/draft-riikonen-silc-pp-05.nroff |  2 +-
 lib/silccore/silcauth.c             | 22 +++++++++++++---------
 lib/silccore/silcchannel.c          | 11 +++++++----
 lib/silccore/silcid.c               |  2 +-
 lib/silccore/silcprivate.c          |  2 +-
 5 files changed, 23 insertions(+), 16 deletions(-)

diff --git a/doc/draft-riikonen-silc-pp-05.nroff b/doc/draft-riikonen-silc-pp-05.nroff
index 377c32d3..5a888a24 100644
--- a/doc/draft-riikonen-silc-pp-05.nroff
+++ b/doc/draft-riikonen-silc-pp-05.nroff
@@ -1707,7 +1707,7 @@ o Message Flags (2 bytes) - Includes the Message Flags of
           Private range for free use.
 
 o Message Length (2 bytes) - Indicates the length of the
-  the Message Data field in the payload, not including any 
+  Message Data field in the payload, not including any 
   other field.
 
 o Message Data (variable length) - The actual message to
diff --git a/lib/silccore/silcauth.c b/lib/silccore/silcauth.c
index cab3ae99..7cb173ec 100644
--- a/lib/silccore/silcauth.c
+++ b/lib/silccore/silcauth.c
@@ -68,7 +68,14 @@ SilcAuthPayload silc_auth_payload_parse(const unsigned char *data,
     return NULL;
   }
 
-  if (newp->len != buffer.len) {
+  if (newp->len != buffer.len || 
+      newp->random_len + newp->auth_len > buffer.len - 8) {
+    silc_auth_payload_free(newp);
+    return NULL;
+  }
+
+  /* Authentication data must be provided */
+  if (newp->auth_len < 1)  {
     silc_auth_payload_free(newp);
     return NULL;
   }
@@ -379,7 +386,7 @@ bool silc_auth_verify(SilcAuthPayload payload, SilcAuthMethod auth_method,
 {
   SILC_LOG_DEBUG(("Verifying authentication"));
 
-  if (auth_method != payload->auth_method)
+  if (!payload || auth_method != payload->auth_method)
     return FALSE;
 
   switch (payload->auth_method) {
@@ -391,15 +398,12 @@ bool silc_auth_verify(SilcAuthPayload payload, SilcAuthMethod auth_method,
   case SILC_AUTH_PASSWORD:
     /* Passphrase based authentication. The `pkcs', `hash', `id' and `type'
        arguments are not needed. */
-    /* Carefully check that the auth_data field of the payload is not empty
-       (len=0), which seems to be a legal packet but would crash the
-       application. Maybe such packet should be dropped. -Johnny 2002/14/4 */
-    if ((payload->auth_len == 0) || !auth_data)
-      break;
 
-    /* if lengths mismatch, avoid comparing unallocated memory locations */
-    if (payload->auth_len != auth_data_len)
+    /* Sanity checks */
+    if ((payload->auth_len == 0) || !auth_data ||
+	payload->auth_len != auth_data_len)
       break;
+
     if (!memcmp(payload->auth_data, auth_data, auth_data_len)) {
       SILC_LOG_DEBUG(("Passphrase Authentication successful"));
       return TRUE;
diff --git a/lib/silccore/silcchannel.c b/lib/silccore/silcchannel.c
index 5254c9ed..83f91977 100644
--- a/lib/silccore/silcchannel.c
+++ b/lib/silccore/silcchannel.c
@@ -67,8 +67,9 @@ SilcChannelPayload silc_channel_payload_parse(const unsigned char *payload,
   if (ret == -1)
     goto err;
 
-  if ((newp->name_len < 1 || newp->name_len > buffer.len) ||
-      (newp->id_len < 1 || newp->id_len > buffer.len)) {
+  if ((newp->name_len < 1 || newp->name_len > buffer.len - 8) ||
+      (newp->id_len < 1 || newp->id_len > buffer.len - 8) ||
+      (newp->id_len + newp->name_len > buffer.len - 8)) {
     SILC_LOG_ERROR(("Incorrect channel payload in packet, packet dropped"));
     goto err;
   }
@@ -373,7 +374,8 @@ silc_channel_message_payload_parse(unsigned char *payload,
   if (ret == -1)
     goto err;
 
-  if (newp->data_len > buffer.len) {
+  if ((newp->data_len > buffer.len - 6 - mac_len - iv_len) ||
+      (newp->pad_len + newp->data_len > buffer.len - 6 - mac_len - iv_len)) {
     SILC_LOG_ERROR(("Incorrect channel message payload in packet, "
 		    "packet dropped"));
     goto err;
@@ -582,7 +584,8 @@ silc_channel_key_payload_parse(const unsigned char *payload,
   if (ret == -1)
     goto err;
 
-  if (newp->id_len < 1 || newp->key_len < 1 || newp->cipher_len < 1) {
+  if (newp->id_len < 1 || newp->key_len < 1 || newp->cipher_len < 1 ||
+      newp->id_len + newp->cipher_len + newp->key_len > buffer.len - 6) {
     SILC_LOG_ERROR(("Incorrect channel key payload in packet"));
     goto err;
   }
diff --git a/lib/silccore/silcid.c b/lib/silccore/silcid.c
index 6e892c08..57524d36 100644
--- a/lib/silccore/silcid.c
+++ b/lib/silccore/silcid.c
@@ -67,7 +67,7 @@ SilcIDPayload silc_id_payload_parse(const unsigned char *payload,
 
   silc_buffer_pull(&buffer, 4);
 
-  if (newp->len > buffer.len || newp->len > SILC_PACKET_MAX_ID_LEN)
+  if (newp->len > buffer.len - 4 || newp->len > SILC_PACKET_MAX_ID_LEN)
     goto err;
 
   ret = silc_buffer_unformat(&buffer,
diff --git a/lib/silccore/silcprivate.c b/lib/silccore/silcprivate.c
index ac99257f..3ddf7307 100644
--- a/lib/silccore/silcprivate.c
+++ b/lib/silccore/silcprivate.c
@@ -86,7 +86,7 @@ silc_private_message_payload_parse(unsigned char *payload,
     goto err;
   }
 
-  if ((newp->message_len < 1 || newp->message_len > buffer.len)) {
+  if ((newp->message_len < 1 || newp->message_len > buffer.len - 4)) {
     SILC_LOG_DEBUG(("Incorrect private message payload in packet, "
 		    "packet dropped"));
     goto err;
-- 
2.24.0