Skip to content

wire: bound decoded auth.token_size and num_sn to destination sizes#1243

Merged
lucaderi merged 1 commit into
ntop:devfrom
mjbommar:wire-validate-decoded-lengths
Jun 22, 2026
Merged

wire: bound decoded auth.token_size and num_sn to destination sizes#1243
lucaderi merged 1 commit into
ntop:devfrom
mjbommar:wire-validate-decoded-lengths

Conversation

@mjbommar

Copy link
Copy Markdown
Contributor

decode_buf() checks that the source packet holds the requested number of bytes, but not that the requested length fits the destination buffer. The REGISTER_SUPER / UNREGISTER_SUPER / REGISTER_SUPER_ACK / REGISTER_SUPER_NAK decoders read auth.token_size (16-bit) and num_sn (8-bit) directly from the wire and pass them to decode_buf() targeting fixed-size destinations (auth.token is N2N_AUTH_MAX_TOKEN_SIZE = 48 bytes; the backup-supernode list is bounded by REG_SUPER_ACK_PAYLOAD_SPACE).

A length field larger than its destination lets a malformed packet write past the buffer. This validates token_size and num_sn against those limits before the copy and returns a decode error otherwise. Well-formed peers never send larger values, so legitimate traffic is unaffected.

Built clean with -Wall (no new warnings); tools/tests-wire passes.

decode_buf() verifies that the source packet still holds the requested
number of bytes, but not that the requested length fits the destination
buffer. The REGISTER_SUPER / UNREGISTER_SUPER / REGISTER_SUPER_ACK /
REGISTER_SUPER_NAK decoders read auth.token_size (a 16-bit field) and
num_sn (an 8-bit count) directly from the wire and pass them to
decode_buf() targeting fixed-size destinations: auth.token is
N2N_AUTH_MAX_TOKEN_SIZE (48) bytes, and the REGISTER_SUPER_ACK backup
list is bounded by REG_SUPER_ACK_PAYLOAD_SPACE.

A length field larger than its destination therefore lets a malformed
packet write past the end of the buffer. Validate token_size against
N2N_AUTH_MAX_TOKEN_SIZE and num_sn against REG_SUPER_ACK_PAYLOAD_SPACE
before calling decode_buf(), returning a decode error otherwise. A
conforming peer never sends a larger value, so well-formed traffic is
unaffected.

Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
@lucaderi lucaderi merged commit 854fbbe into ntop:dev Jun 22, 2026
6 of 19 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants