From fc8585a5708880682180526abf2bd3ba78849c71 Mon Sep 17 00:00:00 2001 From: Lukas Woodtli Date: Tue, 15 Aug 2023 11:31:43 +0200 Subject: [PATCH] Fix out of bound read in registration handling In some cases the code tried to read past the registration payload. --- core/registration.c | 3 +-- .../crash-4722541711a0a70b31362a66129f8d3b27449b29 | Bin 0 -> 31 bytes .../crash-b609a2dd5c6a5ce4fac6b76d1fdfd2841dca4402 | Bin 0 -> 31 bytes 3 files changed, 1 insertion(+), 2 deletions(-) create mode 100644 tests/fuzzing/registration_handleRequest/crash_files/crash-4722541711a0a70b31362a66129f8d3b27449b29 create mode 100644 tests/fuzzing/registration_handleRequest/crash_files/crash-b609a2dd5c6a5ce4fac6b76d1fdfd2841dca4402 diff --git a/core/registration.c b/core/registration.c index 777154625..bc03b4146 100644 --- a/core/registration.c +++ b/core/registration.c @@ -1604,8 +1604,7 @@ static int prv_getId(uint8_t * data, } // Ignore any unrecognized attribute } - if (data[limit] == REG_ATTR_SEPARATOR) - { + if (limit < length && data[limit] == REG_ATTR_SEPARATOR) { limit += 1; } data += limit; diff --git a/tests/fuzzing/registration_handleRequest/crash_files/crash-4722541711a0a70b31362a66129f8d3b27449b29 b/tests/fuzzing/registration_handleRequest/crash_files/crash-4722541711a0a70b31362a66129f8d3b27449b29 new file mode 100644 index 0000000000000000000000000000000000000000..d57e015740d1bf51dbfd93a1dc18c88d807698ba GIT binary patch literal 31 kcmcD~H`F)Mx6wDM)3dYwul1dC@qb|k1_lKXuwMKR0E%1*NdN!< literal 0 HcmV?d00001 diff --git a/tests/fuzzing/registration_handleRequest/crash_files/crash-b609a2dd5c6a5ce4fac6b76d1fdfd2841dca4402 b/tests/fuzzing/registration_handleRequest/crash_files/crash-b609a2dd5c6a5ce4fac6b76d1fdfd2841dca4402 new file mode 100644 index 0000000000000000000000000000000000000000..446862ceff36aeee870f43b529be006aa75b072d GIT binary patch literal 31 gcmcD~H?_02vH5RfXZ;@rY^4|(>i;iF4s-Sc0QPMU{{R30 literal 0 HcmV?d00001