Return error when parsing packet with fewer bytes than TKL field indicates

dubek · dubek · commit a2260b92ac40 · 2015-10-12T16:20:58.000-04:00
This fix solves a panic which is raised when parsing a packet which indicates a non-zero token length (TKL) but the packet itself is shorter than the indicated token length. In such a case, a "truncated" error is return from UnmarshalBinary. The bug was found with the help of go-fuzz (https://github.com/dvyukov/go-fuzz).
diff --git a/message.go b/message.go
@@ -573,6 +573,9 @@ func (m *Message) UnmarshalBinary(data []byte) error {
 	if tokenLen > 0 {
 		m.Token = make([]byte, tokenLen)
 	}
+	if len(data) < 4+tokenLen {
+		return errors.New("truncated")
+	}
 	copy(m.Token, data[4:4+tokenLen])
 	b := data[4+tokenLen:]
 	prev := 0
diff --git a/message_test.go b/message_test.go
@@ -185,6 +185,12 @@ func TestInvalidMessageParsing(t *testing.T) {
 	if err == nil {
 		t.Errorf("Unexpected success parsing invalid message: %v", msg)
 	}
+
+	// TKL=5 but packet is truncated
+	msg, err = parseMessage([]byte{0x45, 0, 0, 0, 0, 0})
+	if err == nil {
+		t.Errorf("Unexpected success parsing invalid message: %v", msg)
+	}
 }
 
 func TestOptionsWithIllegalLengthAreIgnoredDuringParsing(t *testing.T) {

Original file line number	Diff line number	Diff line change
`@@ -185,6 +185,12 @@ func TestInvalidMessageParsing(t *testing.T) {`
`185`	`185`	`if err == nil {`
`186`	`186`	`t.Errorf("Unexpected success parsing invalid message: %v", msg)`
`187`	`187`	`}`
	`188`	`+`
	`189`	`+ // TKL=5 but packet is truncated`
	`190`	`+ msg, err = parseMessage([]byte{0x45, 0, 0, 0, 0, 0})`
	`191`	`+ if err == nil {`
	`192`	`+ t.Errorf("Unexpected success parsing invalid message: %v", msg)`
	`193`	`+ }`
`188`	`194`	`}`
`189`	`195`
`190`	`196`	`func TestOptionsWithIllegalLengthAreIgnoredDuringParsing(t *testing.T) {`