From 64517c916553a3e5200a406ac893316aaad8f3bd Mon Sep 17 00:00:00 2001 From: levlam Date: Thu, 11 Jul 2019 03:12:27 +0300 Subject: [PATCH] Fix checks for additional data at the end. GitOrigin-RevId: 66067600bec585ad2c310c7adc263a5e88232653 --- td/mtproto/SessionConnection.cpp | 1 + td/telegram/ConfigManager.cpp | 5 +++-- td/telegram/SecretChatActor.cpp | 2 ++ td/telegram/Td.cpp | 1 + 4 files changed, 7 insertions(+), 2 deletions(-) diff --git a/td/mtproto/SessionConnection.cpp b/td/mtproto/SessionConnection.cpp index 4f319851a..d95ec30ef 100644 --- a/td/mtproto/SessionConnection.cpp +++ b/td/mtproto/SessionConnection.cpp @@ -479,6 +479,7 @@ Status SessionConnection::on_slice_packet(const MsgInfo &info, Slice packet) { } TlParser parser(packet); tl_object_ptr object = mtproto_api::Object::fetch(parser); + parser.fetch_end(); if (parser.get_error()) { // msg_container is not real tl object if (packet.size() >= 4 && as(packet.begin()) == mtproto_api::msg_container::ID) { diff --git a/td/telegram/ConfigManager.cpp b/td/telegram/ConfigManager.cpp index 95f5f3dde..095aec6d9 100644 --- a/td/telegram/ConfigManager.cpp +++ b/td/telegram/ConfigManager.cpp @@ -102,16 +102,17 @@ Result decode_config(Slice input) { TlParser len_parser{data_cbc}; int len = len_parser.fetch_int(); - if (len < 0 || len > 204) { + if (len < 8 || len > 208) { return Status::Error(PSLICE() << "Invalid " << tag("data length", len) << " after aes_cbc_decrypt"); } int constructor_id = len_parser.fetch_int(); if (constructor_id != telegram_api::help_configSimple::ID) { return Status::Error(PSLICE() << "Wrong " << tag("constructor", format::as_hex(constructor_id))); } - BufferSlice raw_config(data_cbc.substr(8, len)); + BufferSlice raw_config(data_cbc.substr(8, len - 8)); TlBufferParser parser{&raw_config}; auto config = telegram_api::help_configSimple::fetch(parser); + parser.fetch_end(); TRY_STATUS(parser.get_status()); return std::move(config); } diff --git a/td/telegram/SecretChatActor.cpp b/td/telegram/SecretChatActor.cpp index 27c5bafe0..1e6b7e3e1 100644 --- a/td/telegram/SecretChatActor.cpp +++ b/td/telegram/SecretChatActor.cpp @@ -895,6 +895,7 @@ Status SecretChatActor::do_inbound_message_encrypted(unique_ptrlayer_; if (layer < DEFAULT_LAYER && false /*TODO: fix android app bug? */) { @@ -930,6 +931,7 @@ Status SecretChatActor::do_inbound_message_encrypted(unique_ptrdecrypted_message_layer = secret_api::make_object( BufferSlice(), config_state_.his_layer, -1, -1, std::move(message_without_layer)); diff --git a/td/telegram/Td.cpp b/td/telegram/Td.cpp index 3d1f74ffe..e9422bf6c 100644 --- a/td/telegram/Td.cpp +++ b/td/telegram/Td.cpp @@ -3580,6 +3580,7 @@ void Td::on_result(NetQueryPtr query) { auto ok = query->move_as_ok(); TlBufferParser parser(&ok); auto ptr = telegram_api::Updates::fetch(parser); + parser.fetch_end(); if (parser.get_error()) { LOG(ERROR) << "Failed to fetch update: " << parser.get_error() << format::as_hex_dump<4>(ok.as_slice()); updates_manager_->schedule_get_difference("failed to fetch update");