QPID-4629 Improve validation of received frames.

- Added checks to Buffer to ensure no buffer overruns occur;
- Fixed an unsigned comparison error in the checking function.
- Improved FieldValue decoding to check we've actually got data
  before allocating the space for it.
- Disallowed large arrays (greater than 256 elements) of zero length
  elements - avoids potential memory exhaustion problems.
[Fixes from Florian Weimer, Red Hat Product Security Team, lightly
modified]
This change fixes these vulnerabilities
CVE-2012-4458
CVE-2012-4459
CVE-2012-4460

git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@1453031 13f79535-47bb-0310-9956-ffa450edef68

2 files changed, 2 insertions, 1 deletions

diff --git a/cpp/include/qpid/framing/Buffer.h b/cpp/include/qpid/framing/Buffer.h
index 2ccad3bd57..293d591a94 100644
--- a/cpp/include/qpid/framing/Buffer.h
+++ b/cpp/include/qpid/framing/Buffer.h
@@ -45,7 +45,7 @@ class QPID_COMMON_CLASS_EXTERN Buffer
     uint32_t position;
 
   public:
-    void checkAvailable(uint32_t count) { if (position + count > size) throw OutOfBounds(); }
+    void checkAvailable(size_t count) { if (count > size - position) throw OutOfBounds(); }
 
     QPID_COMMON_EXTERN Buffer(char* data=0, uint32_t size=0);
 
diff --git a/cpp/include/qpid/framing/FieldValue.h b/cpp/include/qpid/framing/FieldValue.h
index e964da495a..1adcb2fa07 100644
--- a/cpp/include/qpid/framing/FieldValue.h
+++ b/cpp/include/qpid/framing/FieldValue.h
@@ -281,6 +281,7 @@ class VariableWidthValue : public FieldValue::Data {
     };
     void decode(Buffer& buffer) {
         uint32_t len = buffer.getUInt<lenwidth>();
+        buffer.checkAvailable(len);
         octets.resize(len);
         if (len > 0)
             buffer.getRawData(&octets[0], len);