diff options
| author | moneromooo-monero <moneromooo-monero@users.noreply.github.com> | 2014-10-06 10:27:34 +0100 |
|---|---|---|
| committer | moneromooo-monero <moneromooo-monero@users.noreply.github.com> | 2014-10-06 14:57:49 +0100 |
| commit | add803be89c1538d4b98d3fc0e25930b96a78fb2 (patch) | |
| tree | 1c714af754522b7374afcb046db8940dff6cebd1 | |
| parent | Merge pull request #170 (diff) | |
| download | monero-add803be89c1538d4b98d3fc0e25930b96a78fb2.tar.xz | |
core_rpc_server: fix overreads in slow_memmem
It would read data outside the allocated space in a couple cases.
| -rw-r--r-- | src/rpc/core_rpc_server.cpp | 18 |
1 files changed, 10 insertions, 8 deletions
diff --git a/src/rpc/core_rpc_server.cpp b/src/rpc/core_rpc_server.cpp index e80451cda..97795801c 100644 --- a/src/rpc/core_rpc_server.cpp +++ b/src/rpc/core_rpc_server.cpp @@ -398,17 +398,19 @@ namespace cryptonote return true; } //------------------------------------------------------------------------------------------------------------------------------ - uint64_t slow_memmem(void* start_buff, size_t buflen,void* pat,size_t patlen) + // equivalent of strstr, but with arbitrary bytes (ie, NULs) + // This does not differentiate between "not found" and "found at offset 0" + uint64_t slow_memmem(const void* start_buff, size_t buflen,const void* pat,size_t patlen) { - void* buf = start_buff; - void* end=(char*)buf+buflen-patlen; - while((buf=memchr(buf,((char*)pat)[0],buflen))) + const void* buf = start_buff; + const void* end=(const char*)buf+buflen; + if (patlen > buflen || patlen == 0) return 0; + while(buflen>0 && (buf=memchr(buf,((const char*)pat)[0],buflen-patlen+1))) { - if(buf>end) - return 0; if(memcmp(buf,pat,patlen)==0) - return (char*)buf - (char*)start_buff; - buf=(char*)buf+1; + return (const char*)buf - (const char*)start_buff; + buf=(const char*)buf+1; + buflen = (const char*)end - (const char*)buf; } return 0; } |