From dfd1b3864800db7241668ff2f56aa43ec6968678 Mon Sep 17 00:00:00 2001 From: nsa Date: Thu, 15 Aug 2019 20:03:24 -0400 Subject: [PATCH] tlv: fix panic with large length This commit fixes a panic where a large length in a record could cause the DVarBytes function to fail to allocate a byte slice. --- tlv/stream.go | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/tlv/stream.go b/tlv/stream.go index 49bb70ed..4df70af4 100644 --- a/tlv/stream.go +++ b/tlv/stream.go @@ -6,12 +6,18 @@ import ( "io" "io/ioutil" "math" + + "github.com/lightningnetwork/lnd/lnwire" ) // ErrStreamNotCanonical signals that a decoded stream does not contain records // sorting by monotonically-increasing type. var ErrStreamNotCanonical = errors.New("tlv stream is not canonical") +// ErrRecordTooLarge signals that a decoded record has a length that is too +// long to parse. +var ErrRecordTooLarge = errors.New("record is too large") + // ErrUnknownRequiredType is an error returned when decoding an unknown and even // type from a Stream. type ErrUnknownRequiredType Type @@ -183,6 +189,10 @@ func (s *Stream) Decode(r io.Reader) error { return err } + if length > lnwire.MaxMessagePayload { + return ErrRecordTooLarge + } + // Search the records known to the stream for this type. We'll // begin the search and recordIdx and walk forward until we find // it or the next record's type is larger.