Return error when parsing packet with fewer bytes than TKL field indi…

…cates This fix solves a panic which is raised when parsing a packet which indicates a non-zero token length (TKL) but the packet itself is shorter than the indicated token length. In such a case, a "truncated" error is return from UnmarshalBinary. The bug was found with the help of go-fuzz (https://github.com/dvyukov/go-fuzz).
dustin · Oct 12, 2015 · a2260b9 · a2260b9
1 parent 2ee4122
commit a2260b9
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 0 deletions.
diff --git a/message.go b/message.go
@@ -573,6 +573,9 @@ func (m *Message) UnmarshalBinary(data []byte) error {
 	if tokenLen > 0 {
 		m.Token = make([]byte, tokenLen)
 	}
+	if len(data) < 4+tokenLen {
+		return errors.New("truncated")
+	}
 	copy(m.Token, data[4:4+tokenLen])
 	b := data[4+tokenLen:]
 	prev := 0

diff --git a/message_test.go b/message_test.go
@@ -185,6 +185,12 @@ func TestInvalidMessageParsing(t *testing.T) {
 	if err == nil {
 		t.Errorf("Unexpected success parsing invalid message: %v", msg)
 	}
+
+	// TKL=5 but packet is truncated
+	msg, err = parseMessage([]byte{0x45, 0, 0, 0, 0, 0})
+	if err == nil {
+		t.Errorf("Unexpected success parsing invalid message: %v", msg)
+	}
 }
 
 func TestOptionsWithIllegalLengthAreIgnoredDuringParsing(t *testing.T) {