30 lines
1.2 KiB
Diff
30 lines
1.2 KiB
Diff
diff --git a/src/parser_lyb.c b/src/parser_lyb.c
|
|
index 788be94..5a26e43 100644
|
|
--- a/src/parser_lyb.c
|
|
+++ b/src/parser_lyb.c
|
|
@@ -217,6 +217,11 @@ lyb_read_string(char **str, uint8_t len_size, struct lylyb_ctx *lybctx)
|
|
|
|
lyb_read_number(&len, sizeof len, len_size, lybctx);
|
|
|
|
+ /* len could be potentially at UINT64_MAX meaning that len + 1 would
|
|
+ * cause malloc(0) followed by an out-of-bounds write */
|
|
+ LY_CHECK_ERR_RET(len == UINT64_MAX,
|
|
+ LOGERR(lybctx->ctx, LY_EINVAL, "LYB value size overflow."), LY_EINVAL);
|
|
+
|
|
*str = malloc((len + 1) * sizeof **str);
|
|
LY_CHECK_ERR_RET(!*str, LOGMEM(lybctx->ctx), LY_EMEM);
|
|
|
|
@@ -281,6 +281,12 @@ lyb_read_term_value(const struct lysc_node_leaf *term, uint8_t **term_value, uin
|
|
*term_value_len = lyb_data_len;
|
|
}
|
|
|
|
+ /* *term_value_len + 1 can overflow uint32_t allocated_size when
|
|
+ * *term_value_len >= UINT32_MAX, causing malloc(0) followed by
|
|
+ * an out-of-bounds write (OOM / DoS) */
|
|
+ LY_CHECK_ERR_RET(*term_value_len >= UINT32_MAX,
|
|
+ LOGERR(lybctx->ctx, LY_EINVAL, "LYB value size overflow."), LY_EINVAL);
|
|
+
|
|
/* Allocate memory. */
|
|
allocated_size = *term_value_len + 1;
|
|
*term_value = malloc(allocated_size * sizeof **term_value);
|