* i2psnark: Fix OOM vulnerability by checking incoming message length

(thanks devzero!)
2008-08-13 15:59:16 +00:00
parent 719ba3f66f
commit 49af13a3ca
4 changed files with 10 additions and 3 deletions
--- a/apps/i2psnark/java/src/org/klomp/snark/PeerConnectionIn.java
+++ b/apps/i2psnark/java/src/org/klomp/snark/PeerConnectionIn.java
@ -77,9 +77,12 @@ class PeerConnectionIn implements Runnable
        
            // Wait till we hear something...
            // The length of a complete message in bytes.
+            // The biggest is the piece message, for which the length is the
+            // request size (32K) plus 9. (we could also check if Storage.MAX_PIECES / 8
+            // in the bitfield message is bigger but it's currently 5000/8 = 625 so don't bother)
            int i = din.readInt();
            lastRcvd = System.currentTimeMillis();
-            if (i < 0)
+            if (i < 0 || i > PeerState.PARTSIZE + 9)
              throw new IOException("Unexpected length prefix: " + i);

            if (i == 0)
--- a/apps/i2psnark/java/src/org/klomp/snark/PeerState.java
+++ b/apps/i2psnark/java/src/org/klomp/snark/PeerState.java
@ -62,7 +62,7 @@ class PeerState

  private final static int MAX_PIPELINE = 2;               // this is for outbound requests
  private final static int MAX_PIPELINE_BYTES = 128*1024;  // this is for inbound requests
-  private final static int PARTSIZE = 32*1024; // Snark was 16K, i2p-bt uses 64KB
+  public final static int PARTSIZE = 32*1024; // Snark was 16K, i2p-bt uses 64KB
  private final static int MAX_PARTSIZE = 64*1024; // Don't let anybody request more than this

  PeerState(Peer peer, PeerListener listener, MetaInfo metainfo,
--- a/history.txt
+++ b/history.txt
@ -1,3 +1,7 @@
+2008-08-13 zzz
+    * i2psnark: Fix OOM vulnerability by checking incoming message length
+      (thanks devzero!)
+
 2008-08-04 zzz
    * Floodfill Peer Selector:
      - Avoid peers whose netdb is old, or have a recent failed store,
--- a/router/java/src/net/i2p/router/RouterVersion.java
+++ b/router/java/src/net/i2p/router/RouterVersion.java
@ -17,7 +17,7 @@ import net.i2p.CoreVersion;
 public class RouterVersion {
    public final static String ID = "$Revision: 1.548 $ $Date: 2008-06-07 23:00:00 $";
    public final static String VERSION = "0.6.2";
-    public final static long BUILD = 11;
+    public final static long BUILD = 12;
    public static void main(String args[]) {
        System.out.println("I2P Router version: " + VERSION + "-" + BUILD);
        System.out.println("Router ID: " + RouterVersion.ID);