From 7edc0a52feea4f7618a3a8447b5a2607538776ff Mon Sep 17 00:00:00 2001 From: iphydf Date: Tue, 28 Apr 2020 11:10:25 +0000 Subject: Bound the number of friends you can have to ~4 billion. If you have UINT32_MAX friends, then adding one more friend will cause an overflow of the friend list (wrap to 0) and result in all friends being deleted. This subsequently results in a null pointer dereference when we're trying to add one friend to the deleted friend list. --- toxcore/Messenger.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/toxcore/Messenger.c b/toxcore/Messenger.c index 9863018d..6b691ad8 100644 --- a/toxcore/Messenger.c +++ b/toxcore/Messenger.c @@ -161,6 +161,12 @@ static int m_handle_lossy_packet(void *object, int friend_num, const uint8_t *pa static int32_t init_new_friend(Messenger *m, const uint8_t *real_pk, uint8_t status) { + if (m->numfriends == UINT32_MAX) { + LOGGER_ERROR(m->log, "Friend list full: we have more than 4 billion friends"); + /* This is technically incorrect, but close enough. */ + return FAERR_NOMEM; + } + /* Resize the friend list if necessary. */ if (realloc_friendlist(m, m->numfriends + 1) != 0) { return FAERR_NOMEM; -- cgit v1.2.3