Skip to content

Commit 8663d69

Browse files
divagant-martiandivagant-martian
authored
fix(nap_pmp): reject buffers that are too short on responses (#34)
## Description Fixes a panic in decoding a response from the nat box due to incorrect buffer size verifications. We were checking that the buffer size is within range for all different kinds of responses, but for the specific map response the buffer size is exact. Also updates son libraries due to advisories ## Notes & open questions <!-- Any notes, remarks or open questions you have to make about the PR. --> ## Change checklist - [x] Self-review. - [x] Documentation updates following the [style guide](https://rust-lang.github.io/rfcs/1574-more-api-documentation-conventions.html#appendix-a-full-conventions-text), if relevant. - [x] Tests if relevant. - [x] All breaking changes documented.
1 parent d6eee7d commit 8663d69

File tree

2 files changed

+21
-51
lines changed

2 files changed

+21
-51
lines changed

Cargo.lock

Lines changed: 12 additions & 46 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

portmapper/src/nat_pmp/protocol/response.rs

Lines changed: 9 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -115,7 +115,11 @@ impl Response {
115115
pub const RESPONSE_INDICATOR: u8 = 1u8 << 7;
116116

117117
/// Decode a map response.
118-
fn decode_map(buf: &[u8], proto: MapProtocol) -> Response {
118+
fn decode_map(buf: &[u8], proto: MapProtocol) -> Result<Self, Error> {
119+
if buf.len() != Self::MAX_SIZE {
120+
return Err(MalformedSnafu.build());
121+
}
122+
119123
let epoch_bytes = buf[4..8].try_into().expect("slice has the right len");
120124
let epoch_time = u32::from_be_bytes(epoch_bytes);
121125

@@ -128,13 +132,13 @@ impl Response {
128132
let lifetime_bytes = buf[12..16].try_into().expect("slice has the right len");
129133
let lifetime_seconds = u32::from_be_bytes(lifetime_bytes);
130134

131-
Response::PortMap {
135+
Ok(Response::PortMap {
132136
proto,
133137
epoch_time,
134138
private_port,
135139
external_port,
136140
lifetime_seconds,
137-
}
141+
})
138142
}
139143

140144
/// Decode a response.
@@ -176,8 +180,8 @@ impl Response {
176180
public_ip: ip_bytes.into(),
177181
}
178182
}
179-
Opcode::MapUdp => Self::decode_map(buf, MapProtocol::Udp),
180-
Opcode::MapTcp => Self::decode_map(buf, MapProtocol::Tcp),
183+
Opcode::MapUdp => Self::decode_map(buf, MapProtocol::Udp)?,
184+
Opcode::MapTcp => Self::decode_map(buf, MapProtocol::Tcp)?,
181185
};
182186

183187
Ok(response)

0 commit comments

Comments
 (0)