dict: handle negative key/value length while unserialize

Fixes: bz#1625089 Change-Id: Ie56df0da46c242846a1ba51ccb9e011af118b119 Signed-off-by: Amar Tumballi <amarts@redhat.com>
author: Amar Tumballi <amarts@redhat.com> 2018-07-24 13:25:12 +0530
committer: jiffin tony Thottan <jthottan@redhat.com> 2018-09-06 14:45:30 +0000
commit: 46fce2e458f09606e7ebeca31d2f04b4d25621d2 (patch)
tree: fb3638ae46556afb71f5816f576977d648591d06 /libglusterfs/src
parent: 045a2493704cd3000260a52fc67d06582b2566ef (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/libglusterfs/src/dict.c b/libglusterfs/src/dict.c
index 1061a98577e..388f6f746b2 100644
--- a/libglusterfs/src/dict.c
+++ b/libglusterfs/src/dict.c
@@ -3093,7 +3093,8 @@ dict_unserialize (char *orig_buf, int32_t size, dict_t **fill)
                 vallen = ntoh32 (hostord);
                 buf += DICT_DATA_HDR_VAL_LEN;
 
-                if ((buf + keylen) > (orig_buf + size)) {
+                if ((keylen < 0) || (vallen < 0) ||
+                    (buf + keylen) > (orig_buf + size)) {
                         gf_msg_callingfn ("dict", GF_LOG_ERROR, 0,
                                           LG_MSG_UNDERSIZED_BUF,
                                           "undersized buffer passed. "
author	Amar Tumballi <amarts@redhat.com>	2018-07-24 13:25:12 +0530
committer	jiffin tony Thottan <jthottan@redhat.com>	2018-09-06 14:45:30 +0000
commit	46fce2e458f09606e7ebeca31d2f04b4d25621d2 (patch)
tree	fb3638ae46556afb71f5816f576977d648591d06 /libglusterfs/src
parent	045a2493704cd3000260a52fc67d06582b2566ef (diff)