From fafdb0c59009ffa9525486965fd4ef7acc44f6e8 Mon Sep 17 00:00:00 2001
From: orignal <i2porignal@yandex.ru>
Date: Mon, 30 Jan 2023 15:06:40 -0500
Subject: [PATCH] drop too long or too short LeaseSet

---
 libi2pd/Destination.cpp | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/libi2pd/Destination.cpp b/libi2pd/Destination.cpp
index d202af96..9be0c06e 100644
--- a/libi2pd/Destination.cpp
+++ b/libi2pd/Destination.cpp
@@ -399,6 +399,11 @@ namespace client
 
 	void LeaseSetDestination::HandleDatabaseStoreMessage (const uint8_t * buf, size_t len)
 	{
+		if (len < DATABASE_STORE_HEADER_SIZE)
+		{
+			LogPrint (eLogError, "Destination: Database store msg is too short ", len);
+			return;
+		}
 		uint32_t replyToken = bufbe32toh (buf + DATABASE_STORE_REPLY_TOKEN_OFFSET);
 		size_t offset = DATABASE_STORE_HEADER_SIZE;
 		if (replyToken)
@@ -406,6 +411,11 @@ namespace client
 			LogPrint (eLogInfo, "Destination: Reply token is ignored for DatabaseStore");
 			offset += 36;
 		}
+		if (offset > len || len > i2p::data::MAX_LS_BUFFER_SIZE + offset)
+		{
+			LogPrint (eLogError, "Destination: Database store message is too long ", len);
+			return;
+		}	
 		i2p::data::IdentHash key (buf + DATABASE_STORE_KEY_OFFSET);
 		std::shared_ptr<i2p::data::LeaseSet> leaseSet;
 		switch (buf[DATABASE_STORE_TYPE_OFFSET])