X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=site.c;h=04e3a0d8584cb995a30f688f6dd27723b31857ff;hb=f7857c831a1999529dc54c795b5eeebdd199b8e1;hp=dcac0baaf3428f20c8a97b83eb4d169954271119;hpb=5dfe538bae53c5dc90151043c7da782bd54cb44c;p=secnet.git diff --git a/site.c b/site.c index dcac0ba..04e3a0d 100644 --- a/site.c +++ b/site.c @@ -6,7 +6,7 @@ * * secnet is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version d of the License, or + * the Free Software Foundation; either version 3 of the License, or * (at your option) any later version. * * secnet is distributed in the hope that it will be useful, but @@ -713,6 +713,13 @@ static bool_t unpick_msg(struct site *st, uint32_t type, CHECK_AVAIL(msg,m->siglen); m->sig=buf_unprepend(msg,m->siglen); CHECK_EMPTY(msg); + + /* In `process_msg3_msg4' below, we assume that we can write a nul + * terminator following the signature. Make sure there's enough space. + */ + if (msg->start >= msg->base + msg->alloclen) + return False; + return True; } @@ -846,7 +853,7 @@ static bool_t process_msg3_msg4(struct site *st, struct msg *m) hst=st->hash->init(); st->hash->update(hst,m->hashstart,m->hashlen); st->hash->final(hst,hash); - /* Terminate signature with a '0' - cheating, but should be ok */ + /* Terminate signature with a '0' - already checked that this will fit */ m->sig[m->siglen]=0; if (!st->pubkey->check(st->pubkey->st,hash,st->hash->len,m->sig)) { slog(st,LOG_SEC,"msg3/msg4 signature failed check!"); @@ -1449,7 +1456,7 @@ static void enter_state_run(struct site *st) FILLZERO(st->remoteN); dispose_transform(&st->new_transform); memset(st->dhsecret,0,st->dh->len); - memset(st->sharedsecret,0,st->sharedsecretlen); + if (st->sharedsecret) memset(st->sharedsecret,0,st->sharedsecretlen); set_link_quality(st); if (st->keepalive && !current_valid(st))