From: Rob Pike <r@golang.org>
Date: Mon, 26 Sep 2011 22:58:01 +0000 (-0700)
Subject: gob: protect against invalid message length
X-Git-Tag: weekly.2011-10-06~90
X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=4c462e6fd719861e03cab1a7c5c892b7db7baa11;p=gostls13.git

gob: protect against invalid message length
Fixes #2301.

R=golang-dev, gri
CC=golang-dev
https://golang.org/cl/5134048
---

diff --git a/src/pkg/gob/decoder.go b/src/pkg/gob/decoder.go
index 2819471322..c2a1e0c3a8 100644
--- a/src/pkg/gob/decoder.go
+++ b/src/pkg/gob/decoder.go
@@ -58,6 +58,8 @@ func (dec *Decoder) recvType(id typeId) {
 	dec.wireType[id] = wire
 }
 
+var errBadCount = gobError{os.NewError("invalid message length")}
+
 // recvMessage reads the next count-delimited item from the input. It is the converse
 // of Encoder.writeMessage. It returns false on EOF or other error reading the message.
 func (dec *Decoder) recvMessage() bool {
@@ -67,6 +69,10 @@ func (dec *Decoder) recvMessage() bool {
 		dec.err = err
 		return false
 	}
+	if nbytes >= 1<<31 {
+		dec.err = errBadCount
+		return false
+	}
 	dec.readMessage(int(nbytes))
 	return dec.err == nil
 }
diff --git a/src/pkg/gob/encoder_test.go b/src/pkg/gob/encoder_test.go
index 79d2897010..4263666393 100644
--- a/src/pkg/gob/encoder_test.go
+++ b/src/pkg/gob/encoder_test.go
@@ -628,3 +628,13 @@ func TestSliceReusesMemory(t *testing.T) {
 		}
 	}
 }
+
+// Used to crash: negative count in recvMessage.
+func TestBadCount(t *testing.T) {
+	b := []byte{0xfb, 0xa5, 0x82, 0x2f, 0xca, 0x1}
+	if err := NewDecoder(bytes.NewBuffer(b)).Decode(nil); err == nil {
+		t.Error("expected error from bad count")
+	} else if err.String() != errBadCount.String() {
+		t.Error("expected bad count error; got", err)
+	}
+}