1
0
mirror of https://github.com/golang/go synced 2024-11-25 18:17:56 -07:00

gob: protect against invalid message length

Fixes #2301.

R=golang-dev, gri
CC=golang-dev
https://golang.org/cl/5134048
This commit is contained in:
Rob Pike 2011-09-26 15:58:01 -07:00
parent 6c230fbc67
commit 4c462e6fd7
2 changed files with 16 additions and 0 deletions

View File

@ -58,6 +58,8 @@ func (dec *Decoder) recvType(id typeId) {
dec.wireType[id] = wire dec.wireType[id] = wire
} }
var errBadCount = gobError{os.NewError("invalid message length")}
// recvMessage reads the next count-delimited item from the input. It is the converse // recvMessage reads the next count-delimited item from the input. It is the converse
// of Encoder.writeMessage. It returns false on EOF or other error reading the message. // of Encoder.writeMessage. It returns false on EOF or other error reading the message.
func (dec *Decoder) recvMessage() bool { func (dec *Decoder) recvMessage() bool {
@ -67,6 +69,10 @@ func (dec *Decoder) recvMessage() bool {
dec.err = err dec.err = err
return false return false
} }
if nbytes >= 1<<31 {
dec.err = errBadCount
return false
}
dec.readMessage(int(nbytes)) dec.readMessage(int(nbytes))
return dec.err == nil return dec.err == nil
} }

View File

@ -628,3 +628,13 @@ func TestSliceReusesMemory(t *testing.T) {
} }
} }
} }
// Used to crash: negative count in recvMessage.
func TestBadCount(t *testing.T) {
b := []byte{0xfb, 0xa5, 0x82, 0x2f, 0xca, 0x1}
if err := NewDecoder(bytes.NewBuffer(b)).Decode(nil); err == nil {
t.Error("expected error from bad count")
} else if err.String() != errBadCount.String() {
t.Error("expected bad count error; got", err)
}
}