Better error checking added.

diff --git a/lib/silccore/silcargument.c b/lib/silccore/silcargument.c
index d492ed742576b6e4442812568c86d0634581f679..9c088b51cd67fb3b94311e7d193e3c26d8a4314b 100644 (file)
--- a/lib/silccore/silcargument.c
+++ b/lib/silccore/silcargument.c
@@ -71,15 +71,12 @@ SilcArgumentPayload silc_argument_payload_parse(const unsigned char *payload,
                               SILC_STR_UI_SHORT(&p_len),
                               SILC_STR_UI_CHAR(&arg_type),
                               SILC_STR_END);
-    if (ret == -1)
+    if (ret == -1 || p_len > buffer.len - 3)
       goto err;
-    
+
     newp->argv_lens[i] = p_len;
     newp->argv_types[i] = arg_type;
 
-    if (p_len > buffer.len - 3)
-      break;
-    
     /* Get argument data */
     silc_buffer_pull(&buffer, 3);
     ret = silc_buffer_unformat(&buffer,

diff --git a/lib/silccore/silcattrs.c b/lib/silccore/silcattrs.c
index 2ba0117b79e0573bc4568281c989bed98a07bee5..7af8f6a052ed5068ee121ee5c3577e6d34b1edd5 100644 (file)
--- a/lib/silccore/silcattrs.c
+++ b/lib/silccore/silcattrs.c
@@ -299,7 +299,7 @@ SilcDList silc_attribute_payload_parse(const unsigned char *payload,
     if (ret == -1)
       goto err;
 
-    if (newp->data_len > buffer.len) {
+    if (newp->data_len > buffer.len - 4) {
       SILC_LOG_ERROR(("Incorrect attribute payload in list"));
       goto err;
     }
@@ -619,7 +619,7 @@ bool silc_attribute_get_object(SilcAttributePayload payload,
        silc_buffer_unformat(&buffer,
                             SILC_STR_UI16_NSTRING_ALLOC(&pk->type, &len),
                             SILC_STR_END);
-      if (res == -1)
+      if (res == -1 || len > buffer.len - 2)
        break;
       pk->data = silc_memdup(payload->data + 2 + len,
                             payload->data_len - 2 - len);

diff --git a/lib/silccore/silcauth.c b/lib/silccore/silcauth.c
index 9c603df4f2ac30c418fc8509456bb45616f46d24..b6bfec6df356d149026c2d65f81ed5e5d01e1436 100644 (file)
--- a/lib/silccore/silcauth.c
+++ b/lib/silccore/silcauth.c
@@ -510,7 +510,7 @@ silc_key_agreement_payload_parse(const unsigned char *payload,
                                                         &newp->hostname_len),
                             SILC_STR_UI_INT(&newp->port),
                             SILC_STR_END);
-  if (ret == -1) {
+  if (ret == -1 || newp->hostname_len > buffer.len - 6) {
     silc_free(newp);
     return NULL;
   }

diff --git a/lib/silccore/silcchannel.c b/lib/silccore/silcchannel.c
index 5c83bbb422801ac4b472c19a18409a4ac8bde860..aa31637823cda4b995bb29c60a0a453a7f62e099 100644 (file)
--- a/lib/silccore/silcchannel.c
+++ b/lib/silccore/silcchannel.c
@@ -109,8 +109,9 @@ SilcDList silc_channel_payload_parse_list(const unsigned char *payload,
     if (ret == -1)
       goto err;
 
-    if ((newp->name_len < 1 || newp->name_len > buffer.len) ||
-       (newp->id_len < 1 || newp->id_len > buffer.len)) {
+    if ((newp->name_len < 1 || newp->name_len > buffer.len - 8) ||
+       (newp->id_len < 1 || newp->id_len > buffer.len - 8) ||
+       (newp->id_len + newp->name_len > buffer.len - 8)) {
       SILC_LOG_ERROR(("Incorrect channel payload in packet, packet dropped"));
       goto err;
     }