lib/net: Limit the maximum size of TCP or SSL input buffers
This commit is the 2/3 part of the fix for the following security
vulnerability:
- CVE-2021-42076 DoS via excess length messages
The issue has been reported by Matthias Gerstner <mgerstner@suse.de>.
(cherry picked from commit af90f39b4a
)
This commit is contained in:
parent
f546af4a85
commit
d762ab7d50
|
@ -40,6 +40,7 @@
|
||||||
|
|
||||||
#define MAX_ERROR_SIZE 65535
|
#define MAX_ERROR_SIZE 65535
|
||||||
|
|
||||||
|
static const std::size_t MAX_INPUT_BUFFER_SIZE = 1024 * 1024;
|
||||||
static const float s_retryDelay = 0.01f;
|
static const float s_retryDelay = 0.01f;
|
||||||
|
|
||||||
enum {
|
enum {
|
||||||
|
@ -181,6 +182,10 @@ SecureSocket::doRead()
|
||||||
do {
|
do {
|
||||||
m_inputBuffer.write(buffer, bytesRead);
|
m_inputBuffer.write(buffer, bytesRead);
|
||||||
|
|
||||||
|
if (m_inputBuffer.getSize() > MAX_INPUT_BUFFER_SIZE) {
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
status = secureRead(buffer, sizeof(buffer), bytesRead);
|
status = secureRead(buffer, sizeof(buffer), bytesRead);
|
||||||
if (status < 0) {
|
if (status < 0) {
|
||||||
return kBreak;
|
return kBreak;
|
||||||
|
|
|
@ -33,9 +33,7 @@
|
||||||
#include <cstdlib>
|
#include <cstdlib>
|
||||||
#include <memory>
|
#include <memory>
|
||||||
|
|
||||||
//
|
static const std::size_t MAX_INPUT_BUFFER_SIZE = 1024 * 1024;
|
||||||
// TCPSocket
|
|
||||||
//
|
|
||||||
|
|
||||||
TCPSocket::TCPSocket(IEventQueue* events, SocketMultiplexer* socketMultiplexer, IArchNetwork::EAddressFamily family) :
|
TCPSocket::TCPSocket(IEventQueue* events, SocketMultiplexer* socketMultiplexer, IArchNetwork::EAddressFamily family) :
|
||||||
IDataSocket(events),
|
IDataSocket(events),
|
||||||
|
@ -345,6 +343,10 @@ TCPSocket::doRead()
|
||||||
do {
|
do {
|
||||||
m_inputBuffer.write(buffer, (UInt32)bytesRead);
|
m_inputBuffer.write(buffer, (UInt32)bytesRead);
|
||||||
|
|
||||||
|
if (m_inputBuffer.getSize() > MAX_INPUT_BUFFER_SIZE) {
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
bytesRead = ARCH->readSocket(m_socket, buffer, sizeof(buffer));
|
bytesRead = ARCH->readSocket(m_socket, buffer, sizeof(buffer));
|
||||||
} while (bytesRead > 0);
|
} while (bytesRead > 0);
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue