diff options
author | iphydf <iphydf@users.noreply.github.com> | 2020-04-28 11:10:25 +0000 |
---|---|---|
committer | iphydf <iphydf@users.noreply.github.com> | 2020-04-29 12:22:06 +0000 |
commit | 7edc0a52feea4f7618a3a8447b5a2607538776ff (patch) | |
tree | 43fb3ce70f033a70b6af6e9449f96cf2787b6d0e | |
parent | de3c21b5b70b76eae6db3b4556d12ea026bf5c40 (diff) |
Bound the number of friends you can have to ~4 billion.
If you have UINT32_MAX friends, then adding one more friend will cause an
overflow of the friend list (wrap to 0) and result in all friends being
deleted. This subsequently results in a null pointer dereference when
we're trying to add one friend to the deleted friend list.
-rw-r--r-- | toxcore/Messenger.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/toxcore/Messenger.c b/toxcore/Messenger.c index 9863018d..6b691ad8 100644 --- a/toxcore/Messenger.c +++ b/toxcore/Messenger.c | |||
@@ -161,6 +161,12 @@ static int m_handle_lossy_packet(void *object, int friend_num, const uint8_t *pa | |||
161 | 161 | ||
162 | static int32_t init_new_friend(Messenger *m, const uint8_t *real_pk, uint8_t status) | 162 | static int32_t init_new_friend(Messenger *m, const uint8_t *real_pk, uint8_t status) |
163 | { | 163 | { |
164 | if (m->numfriends == UINT32_MAX) { | ||
165 | LOGGER_ERROR(m->log, "Friend list full: we have more than 4 billion friends"); | ||
166 | /* This is technically incorrect, but close enough. */ | ||
167 | return FAERR_NOMEM; | ||
168 | } | ||
169 | |||
164 | /* Resize the friend list if necessary. */ | 170 | /* Resize the friend list if necessary. */ |
165 | if (realloc_friendlist(m, m->numfriends + 1) != 0) { | 171 | if (realloc_friendlist(m, m->numfriends + 1) != 0) { |
166 | return FAERR_NOMEM; | 172 | return FAERR_NOMEM; |