fix: Fix potential array out-of-bounds in DHT random node retrieval.

iphydf · iphydf · commit d78ee9b12e87 · 2022-04-10T23:17:15.000Z
It can't happen in almost every reality, except when the RNG is fairly
broken and doesn't add 2 fake DHT friends on startup. Still, this code
should be defensive and never index outside `num_friends` elements.
diff --git a/other/bootstrap_daemon/docker/tox-bootstrapd.sha256 b/other/bootstrap_daemon/docker/tox-bootstrapd.sha256
@@ -1 +1 @@
-624c610327a1288eb58196fb0e93d98d5a3c01ad86835799b90c1936fcbbc156  /usr/local/bin/tox-bootstrapd
+bded6f7ca320d8dfcb123a02c2c06aa9615b0e29e1d1d5b33b94bf88e85524d3  /usr/local/bin/tox-bootstrapd
diff --git a/testing/fuzzing/bootstrap_harness.cc b/testing/fuzzing/bootstrap_harness.cc
@@ -124,6 +124,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 
     Tox_Err_New error_new;
     Tox *tox = tox_new(opts, &error_new);
+    tox_options_free(opts);
 
     if (tox == nullptr) {
         // It might fail, because some I/O happens in tox_new, and the fuzzer
@@ -133,8 +134,6 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 
     assert(error_new == TOX_ERR_NEW_OK);
 
-    tox_options_free(opts);
-
     uint8_t pub_key[TOX_PUBLIC_KEY_SIZE] = {0};
 
     const bool success = tox_bootstrap(tox, "127.0.0.1", 12345, pub_key, nullptr);
diff --git a/toxcore/DHT.c b/toxcore/DHT.c
@@ -2602,7 +2602,7 @@ uint16_t randfriends_nodes(const DHT *dht, Node_format *nodes, uint16_t max_num)
     const uint32_t r = random_range_u32(dht->rng, dht->num_friends - DHT_FAKE_FRIEND_NUMBER);
     uint16_t count = 0;
 
-    for (size_t i = 0; i < DHT_FAKE_FRIEND_NUMBER; ++i) {
+    for (uint32_t i = 0; i < DHT_FAKE_FRIEND_NUMBER && i < dht->num_friends; ++i) {
         count += list_nodes(dht->rng, dht->friends_list[r + i].client_list,
                             MAX_FRIEND_CLIENTS, dht->cur_time,
                             nodes + count, max_num - count);
@@ -2766,6 +2766,12 @@ DHT *new_dht(const Logger *log, const Random *rng, const Network *ns, Mono_Time
         }
     }
 
+    if (dht->num_friends != DHT_FAKE_FRIEND_NUMBER) {
+        LOGGER_ERROR(log, "the RNG provided seems to be broken: it generated the same keypair twice");
+        kill_dht(dht);
+        return nullptr;
+    }
+
     return dht;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-624c610327a1288eb58196fb0e93d98d5a3c01ad86835799b90c1936fcbbc156 /usr/local/bin/tox-bootstrapd`
	`1`	`+bded6f7ca320d8dfcb123a02c2c06aa9615b0e29e1d1d5b33b94bf88e85524d3 /usr/local/bin/tox-bootstrapd`
Original file line number	Diff line number	Diff line change
`@@ -2602,7 +2602,7 @@ uint16_t randfriends_nodes(const DHT dht, Node_format nodes, uint16_t max_num)`
`2602`	`2602`	`const uint32_t r = random_range_u32(dht->rng, dht->num_friends - DHT_FAKE_FRIEND_NUMBER);`
`2603`	`2603`	`uint16_t count = 0;`
`2604`	`2604`
`2605`		`- for (size_t i = 0; i < DHT_FAKE_FRIEND_NUMBER; ++i) {`
	`2605`	`+ for (uint32_t i = 0; i < DHT_FAKE_FRIEND_NUMBER && i < dht->num_friends; ++i) {`
`2606`	`2606`	`count += list_nodes(dht->rng, dht->friends_list[r + i].client_list,`
`2607`	`2607`	`MAX_FRIEND_CLIENTS, dht->cur_time,`
`2608`	`2608`	`nodes + count, max_num - count);`
`@@ -2766,6 +2766,12 @@ DHT new_dht(const Logger log, const Random rng, const Network ns, Mono_Time`
`2766`	`2766`	`}`
`2767`	`2767`	`}`
`2768`	`2768`
	`2769`	`+ if (dht->num_friends != DHT_FAKE_FRIEND_NUMBER) {`
	`2770`	`+ LOGGER_ERROR(log, "the RNG provided seems to be broken: it generated the same keypair twice");`
	`2771`	`+ kill_dht(dht);`
	`2772`	`+ return nullptr;`
	`2773`	`+ }`
	`2774`	`+`
`2769`	`2775`	`return dht;`
`2770`	`2776`	`}`
`2771`	`2777`