From de65e7a104c99d829e86612b62665fe45097c524 Mon Sep 17 00:00:00 2001
From: Sergey Matveev <stargrave@stargrave.org>
Date: Mon, 21 Sep 2015 09:49:48 +0300
Subject: [PATCH] Additional buffer bounds checks

Signed-off-by: Sergey Matveev <stargrave@stargrave.org>
---
 src/govpn/handshake.go | 8 ++++----
 src/govpn/peer.go      | 6 ++++++
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/src/govpn/handshake.go b/src/govpn/handshake.go
index 0aa65bd..24a0f1f 100644
--- a/src/govpn/handshake.go
+++ b/src/govpn/handshake.go
@@ -191,7 +191,7 @@ func HandshakeStart(addr string, conn io.Writer, conf *PeerConf) *Handshake {
 // authenticated Peer is ready, then return nil.
 func (h *Handshake) Server(data []byte) *Peer {
 	// R + ENC(H(DSAPub), R, El(CDHPub)) + IDtag
-	if h.rNonce == nil {
+	if h.rNonce == nil && len(data) >= 48 {
 		// Generate DH keypair
 		var dhPubRepr *[32]byte
 		h.dhPriv, dhPubRepr = dhKeypairGen()
@@ -237,7 +237,7 @@ func (h *Handshake) Server(data []byte) *Peer {
 		h.LastPing = time.Now()
 	} else
 	// ENC(K, R+1, RS + RC + SC + Sign(DSAPriv, K)) + IDtag
-	if h.rClient == nil {
+	if h.rClient == nil && len(data) >= 120 {
 		// Decrypted Rs compare rServer
 		dec := make([]byte, RSize+RSize+SSize+ed25519.SignatureSize)
 		salsa20.XORKeyStream(
@@ -290,7 +290,7 @@ func (h *Handshake) Server(data []byte) *Peer {
 // authenticated Peer is ready, then return nil.
 func (h *Handshake) Client(data []byte) *Peer {
 	// ENC(H(DSAPub), R+1, El(SDHPub)) + ENC(K, R, RS + SS) + IDtag
-	if h.rServer == nil && h.key == nil {
+	if h.rServer == nil && h.key == nil && len(data) >= 80 {
 		// Decrypt remote public key and compute shared key
 		sDHRepr := new([32]byte)
 		salsa20.XORKeyStream(sDHRepr[:], data[:32], h.rNonceNext(1), h.dsaPubH)
@@ -334,7 +334,7 @@ func (h *Handshake) Client(data []byte) *Peer {
 		h.LastPing = time.Now()
 	} else
 	// ENC(K, R+2, RC) + IDtag
-	if h.key != nil {
+	if h.key != nil && len(data) >= 16 {
 		// Decrypt rClient
 		dec := make([]byte, RSize)
 		salsa20.XORKeyStream(dec, data[:RSize], h.rNonceNext(2), h.key)
diff --git a/src/govpn/peer.go b/src/govpn/peer.go
index 0918018..1097eac 100644
--- a/src/govpn/peer.go
+++ b/src/govpn/peer.go
@@ -260,6 +260,9 @@ func (p *Peer) EthProcess(data []byte) {
 }
 
 func (p *Peer) PktProcess(data []byte, tap io.Writer, reorderable bool) bool {
+	if len(data) < MinPktLength {
+		return false
+	}
 	p.BusyR.Lock()
 	for i := 0; i < SSize; i++ {
 		p.bufR[i] = byte(0)
@@ -327,6 +330,9 @@ func (p *Peer) PktProcess(data []byte, tap io.Writer, reorderable bool) bool {
 		p.BusyR.Unlock()
 		return true
 	}
+	if int(p.pktSizeR) > len(data) - MinPktLength {
+		return false
+	}
 	p.BytesPayloadIn += int64(p.pktSizeR)
 	tap.Write(p.bufR[S20BS+PktSizeSize : S20BS+PktSizeSize+p.pktSizeR])
 	p.BusyR.Unlock()
-- 
2.44.0