libi2pd: fix undefined behaviour and memory overruns

This fixes the following issues (flagged by cppcheck): [libi2pd/ECIESX25519AEADRatchetSession.cpp:537]: (error) Buffer is accessed out of bounds: m_NSREncodedKey [libi2pd/Identity.cpp:22]: (error) Buffer is accessed out of bounds: keys.publicKey [libi2pd/Identity.cpp:22]: (error) Buffer is accessed out of bounds: publicKey [libi2pd/NetDb.cpp:70] -> [libi2pd/NetDb.cpp:69]: (error) Iterator 'it' used after element has been erased [libi2pd/SSUData.cpp:186] -> [libi2pd/SSUData.cpp:187]: (warning) Shifting 32-bit value by 63 bits is undefined behaviour.
3 years ago · a348e10620
parent af794f901f
commit a348e10620
4 changed files with 5 additions and 4 deletions
--- a/libi2pd/ECIESX25519AEADRatchetSession.cpp
+++ b/libi2pd/ECIESX25519AEADRatchetSession.cpp
@ -534,7 +534,7 @@ namespace garlic
 			LogPrint (eLogError, "Garlic: Can't encode elligator");
 			return false;
 		}
-		memcpy (m_NSREncodedKey, out + offset, 56); // for possible next NSR
+		memcpy (m_NSREncodedKey, out + offset, 32); // for possible next NSR
 		memcpy (m_NSRH, m_H, 32);
 		offset += 32;
 		// KDF for Reply Key Section
--- a/libi2pd/Identity.cpp
+++ b/libi2pd/Identity.cpp
@ -19,7 +19,8 @@ namespace data
 	Identity& Identity::operator=(const Keys& keys)
 	{
 		// copy public and signing keys together
-		memcpy (publicKey, keys.publicKey, sizeof (publicKey) + sizeof (signingKey));
+		memcpy (publicKey, keys.publicKey, sizeof (publicKey));
+		memcpy (signingKey, keys.signingKey, sizeof (signingKey));
 		memset (certificate, 0, sizeof (certificate));
 		return *this;
 	}
--- a/libi2pd/NetDb.cpp
+++ b/libi2pd/NetDb.cpp
@ -66,8 +66,8 @@ namespace data
 		if (it != m_RouterInfos.end ())
 		{
 			// remove own router
-			m_RouterInfos.erase (it);
 			m_Floodfills.remove (it->second);
+			m_RouterInfos.erase (it);
 		}
 		// insert own router
 		m_RouterInfos.emplace (i2p::context.GetIdentHash (), i2p::context.GetSharedRouterInfo ());
--- a/libi2pd/SSUData.cpp
+++ b/libi2pd/SSUData.cpp
@ -185,7 +185,7 @@ namespace transport
 			auto& incompleteMessage = it->second;
 			// mark fragment as received
 			if (fragmentNum < 64)
-				incompleteMessage->receivedFragmentsBits |= (0x01 << fragmentNum);
+				incompleteMessage->receivedFragmentsBits |= (uint64_t(0x01) << fragmentNum);
 			else
 				LogPrint (eLogWarning, "SSU: Fragment number ", fragmentNum, " exceeds 64");