fix: Fix potential array out-of-bounds in DHT random node retrieval.

It can't happen in almost every reality, except when the RNG is fairly broken and doesn't add 2 fake DHT friends on startup. Still, this code should be defensive and never index outside `num_friends` elements.
TokTok · Apr 10, 2022 · fb04f6b · fb04f6b
1 parent 616bd63
commit fb04f6b
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 2 deletions.
diff --git a/other/bootstrap_daemon/docker/tox-bootstrapd.sha256 b/other/bootstrap_daemon/docker/tox-bootstrapd.sha256
@@ -1 +1 @@
-ea227a21dcaed2f54d61bd9175c6deb02480ebd894ebd589061556a1708c0c9f  /usr/local/bin/tox-bootstrapd
+3ad69763cb11d359c666122e224e9081ba10dde554bde96b17d2f57ad9740e52  /usr/local/bin/tox-bootstrapd
diff --git a/toxcore/DHT.c b/toxcore/DHT.c
@@ -2601,7 +2601,7 @@ uint16_t randfriends_nodes(const DHT *dht, Node_format *nodes, uint16_t max_num)
     uint16_t count = 0;
     const uint32_t r = random_u32(dht->rng);
 
-    for (size_t i = 0; i < DHT_FAKE_FRIEND_NUMBER; ++i) {
+    for (uint32_t i = 0; i < DHT_FAKE_FRIEND_NUMBER && i < dht->num_friends; ++i) {
         count += list_nodes(dht->rng, dht->friends_list[(i + r) % DHT_FAKE_FRIEND_NUMBER].client_list,
                             MAX_FRIEND_CLIENTS, dht->cur_time,
                             nodes + count, max_num - count);
@@ -2765,6 +2765,12 @@ DHT *new_dht(const Logger *log, const Random *rng, const Network *ns, Mono_Time
         }
     }
 
+    if (dht->num_friends != DHT_FAKE_FRIEND_NUMBER) {
+        LOGGER_ERROR(log, "the RNG provided seems to be broken: it generated the same keypair twice");
+        kill_dht(dht);
+        return nullptr;
+    }
+
     return dht;
 }
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		ea227a21dcaed2f54d61bd9175c6deb02480ebd894ebd589061556a1708c0c9f /usr/local/bin/tox-bootstrapd
		3ad69763cb11d359c666122e224e9081ba10dde554bde96b17d2f57ad9740e52 /usr/local/bin/tox-bootstrapd