Check len against underflow that could cause heap overrun

Caught by Georg Wicherski of Kaspersky Labs
mongodb · Oct 22, 2010 · 7afb6e4 · 7afb6e4
1 parent e62001c
commit 7afb6e4
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/src/mongo.c b/src/mongo.c
@@ -293,6 +293,10 @@ mongo_reply * mongo_read_response( mongo_connection * conn ){
     looping_read(conn, &fields, sizeof(fields));
 
     bson_little_endian32(&len, &head.len);
+
+    if (len < sizeof(head)+sizeof(fields) || len > 64*1024*1024)
+        MONGO_THROW(MONGO_EXCEPT_NETWORK); /* most likely corruption */
+
     out = (mongo_reply*)bson_malloc(len);
 
     out->head.len = len;