Allow a maximum length to be specified when reading strings or byte

arrays, check it before allocating the buffer, and always specify the maximum length when reading untrusted data - otherwise CountingConsumer will reject the packet, but not before we've tried to allocate a buffer of the specified size (up to 2 GB).
2026-02-12 18:59:06 +01:00 · 2011-08-03 19:29:30 +01:00
parent 5fd87647f8
commit c90a18278b
13 changed files with 73 additions and 31 deletions
--- a/components/net/sf/briar/protocol/MessageReader.java
+++ b/components/net/sf/briar/protocol/MessageReader.java
@@ -67,19 +67,19 @@ class MessageReader implements ObjectReader<Message> {
 		long timestamp = r.readInt64();
 		if(timestamp < 0L) throw new FormatException();
 		// Skip the message body
-		r.readBytes();
+		r.readBytes(Message.MAX_SIZE);
 		// Record the length of the data covered by the author's signature
 		int signedByAuthor = (int) counting.getCount();
 		// Read the author's signature, if there is one
 		byte[] authorSig = null;
 		if(author == null) r.readNull();
-		else authorSig = r.readBytes();
+		else authorSig = r.readBytes(Message.MAX_SIGNATURE_SIZE);
 		// Record the length of the data covered by the group's signature
 		int signedByGroup = (int) counting.getCount();
 		// Read the group's signature, if there is one
 		byte[] groupSig = null;
 		if(group.getPublicKey() == null) r.readNull();
-		else groupSig = r.readBytes();
+		else groupSig = r.readBytes(Message.MAX_SIGNATURE_SIZE);
 		// That's all, folks
 		r.removeConsumer(counting);
 		r.removeConsumer(copying);