lib/net: Limit the maximum size of TCP or SSL input buffers

This commit is the 2/3 part of the fix for the following security
vulnerability:
 - CVE-2021-42076 DoS via excess length messages

The issue has been reported by Matthias Gerstner <mgerstner@suse.de>.

(cherry picked from commit af90f39b4a)
This commit is contained in:
Povilas Kanapickas 2021-11-01 05:18:52 +02:00
parent f546af4a85
commit d762ab7d50
2 changed files with 11 additions and 4 deletions

View File

@ -40,6 +40,7 @@
#define MAX_ERROR_SIZE 65535
static const std::size_t MAX_INPUT_BUFFER_SIZE = 1024 * 1024;
static const float s_retryDelay = 0.01f;
enum {
@ -180,7 +181,11 @@ SecureSocket::doRead()
// slurp up as much as possible
do {
m_inputBuffer.write(buffer, bytesRead);
if (m_inputBuffer.getSize() > MAX_INPUT_BUFFER_SIZE) {
break;
}
status = secureRead(buffer, sizeof(buffer), bytesRead);
if (status < 0) {
return kBreak;

View File

@ -33,9 +33,7 @@
#include <cstdlib>
#include <memory>
//
// TCPSocket
//
static const std::size_t MAX_INPUT_BUFFER_SIZE = 1024 * 1024;
TCPSocket::TCPSocket(IEventQueue* events, SocketMultiplexer* socketMultiplexer, IArchNetwork::EAddressFamily family) :
IDataSocket(events),
@ -345,6 +343,10 @@ TCPSocket::doRead()
do {
m_inputBuffer.write(buffer, (UInt32)bytesRead);
if (m_inputBuffer.getSize() > MAX_INPUT_BUFFER_SIZE) {
break;
}
bytesRead = ARCH->readSocket(m_socket, buffer, sizeof(buffer));
} while (bytesRead > 0);