richard
/
shadowsocks-libev
mirror of https://github.com/shadowsocks/shadowsocks-libev.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

fix a buffer overflow

pull/405/head
Max Lv 9 years ago
parent
4301ded40e
commit
c1db81d7db
2 changed files with 14 additions and 6 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 4
      src/encrypt.c
  2. 16
      src/udprelay.c

4
src/encrypt.c
View File

@ -1079,9 +1079,9 @@ char * ss_encrypt_all(int buf_size, char *plaintext, ssize_t *len, int method, i
ss_onetimeauth(hash, plaintext, p_len, iv);
if (buf_size < ONETIMEAUTH_BYTES + p_len) {
plaintext = realloc(plaintext, ONETIMEAUTH_BYTES + p_len);
memcpy(plaintext + p_len, hash, ONETIMEAUTH_BYTES);
p_len = c_len = p_len + ONETIMEAUTH_BYTES;
}
memcpy(plaintext + p_len, hash, ONETIMEAUTH_BYTES);
p_len = c_len = p_len + ONETIMEAUTH_BYTES;
}
if (method >= SALSA20) {

16
src/udprelay.c
View File

@ -682,7 +682,9 @@ static void remote_recv_cb(EV_P_ ev_io *w, int revents)
memmove(buf, buf + len, buf_len);
#else
// Construct packet
buf = realloc(buf, buf_len + 3);
if (BUF_SIZE < buf_len + 3) {
buf = realloc(buf, buf_len + 3);
}
memmove(buf + 3, buf, buf_len);
memset(buf, 0, 3);
buf_len += 3;
@ -703,7 +705,9 @@ static void remote_recv_cb(EV_P_ ev_io *w, int revents)
}
// Construct packet
buf = realloc(buf, buf_len + addr_header_len);
if (BUF_SIZE < buf_len + addr_header_len) {
buf = realloc(buf, buf_len + addr_header_len);
}
memmove(buf + addr_header_len, buf, buf_len);
memcpy(buf, addr_header, addr_header_len);
buf_len += addr_header_len;
@ -894,7 +898,9 @@ static void server_recv_cb(EV_P_ ev_io *w, int revents)
}
// reconstruct the buffer
buf = realloc(buf, buf_len + addr_header_len);
if (BUF_SIZE < buf_len + addr_header_len) {
buf = realloc(buf, buf_len + addr_header_len);
}
memmove(buf + addr_header_len, buf, buf_len);
memcpy(buf, addr_header, addr_header_len);
buf_len += addr_header_len;
@ -950,7 +956,9 @@ static void server_recv_cb(EV_P_ ev_io *w, int revents)
addr_header_len += 2;
// reconstruct the buffer
buf = realloc(buf, buf_len + addr_header_len);
if (BUF_SIZE < buf_len + addr_header_len) {
buf = realloc(buf, buf_len + addr_header_len);
}
memmove(buf + addr_header_len, buf, buf_len);
memcpy(buf, addr_header, addr_header_len);
buf_len += addr_header_len;

Write Preview
Loading…
Cancel
Save