'branches/work/icecream-make-it-cool/services'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-commits
Subject:    branches/work/icecream-make-it-cool/services
From:       Dirk Mueller <mueller () kde ! org>
Date:       2007-07-28 16:50:34
Message-ID: 1185641434.401238.8178.nullmailer () svn ! kde ! org
[Download RAW message or body]

SVN commit 693679 by mueller:

various protections against malicious requests


 M  +21 -5     comm.cpp  


--- branches/work/icecream-make-it-cool/services/comm.cpp #693678:693679
@@ -51,6 +51,15 @@
 
 using namespace std;
 
+/*
+ * A generic DoS protection. The biggest messages are of type FileChunk
+ * which shouldn't be larger than 100kb. so anything bigger than 10 times
+ * of that is definitly fishy, and we must reject it (we're running as root,
+ * so be cautious).
+ */
+
+#define MAX_MSG_SIZE 1 * 1024 * 1024
+
 /* TODO
  * buffered in/output per MsgChannel
     + move read* into MsgChannel, create buffer-fill function
@@ -180,6 +189,8 @@
       else if (inofs - intogo >= 4)
         {
           (*this) >> inmsglen;
+          if (inmsglen > MAX_MSG_SIZE)
+              return false;
 	  if (inbuflen - intogo < inmsglen)
 	    {
 	      inbuflen = (inmsglen + intogo + 127) & ~(size_t)127;
@@ -336,7 +347,7 @@
   // len is including the (also saved) 0 Byte
   uint32_t len;
   *this >> len;
-  if (!len || inofs < intogo + len)
+  if (!len || len > inofs - intogo)
     s = "";
   else
     {
@@ -367,6 +378,8 @@
       string s;
       *this >> s;
       l.push_back (s);
+      if (inofs == intogo)
+        break;
     }
   return *this;
 }
@@ -419,10 +432,13 @@
   uncompressed_len = tmp;
   *this >> tmp;
   compressed_len = tmp;
-  /* If there was some input, but nothing compressed, or we don't have
-     everything to uncompress, there was an error.  */
-  if ((uncompressed_len && !compressed_len)
-      || inofs < intogo + compressed_len)
+  /* If there was some input, but nothing compressed,
+     or lengths are bigger than the whole chunk message
+     or we don't have everything to uncompress, there was an error.  */
+  if ( uncompressed_len > (inofs - intogo)
+       || compressed_len > (inofs - intogo)
+       || (uncompressed_len && !compressed_len)
+       || inofs < intogo + compressed_len )
     {
       *uncompressed_buf = 0;
       uncompressed_len = 0;
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic