Snider/Mining
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

ax(ueps): guard tagValue index access against zero-length TLV values
Some checks failed
Test / test (push) Waiting to run
Details
Security Scan / security (push) Has been cancelled
Details

Browse source 
A malformed frame with length 0 for any single-byte tag (TagVersion,
TagCurrentLayer, TagTargetLayer, TagIntent) or fewer than 2 bytes for
TagThreatScore caused a runtime panic (index out of range) on untrusted
input. Added len(tagValue) bounds checks in ReadAndVerify before each
tagValue[0] and Uint16 access to eliminate the panic path.

Co-Authored-By: Charon <charon@lethean.io>
This commit is contained in:
Claude 2026-04-02 14:20:39 +01:00
parent bac107b377
commit 3ef84c6166
No known key found for this signature in database
GPG key ID: AF404715446AEB41
1 changed files with 15 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
pkg/ueps/reader.go
View file

@ -61,15 +61,25 @@ func ReadAndVerify(reader *bufio.Reader, sharedSecret []byte) (*ParsedPacket, er
switch tagType {
case TagVersion:
packetHeader.Version = tagValue[0]
if len(tagValue) >= 1 {
packetHeader.Version = tagValue[0]
}
case TagCurrentLayer:
packetHeader.CurrentLayer = tagValue[0]
if len(tagValue) >= 1 {
packetHeader.CurrentLayer = tagValue[0]
}
case TagTargetLayer:
packetHeader.TargetLayer = tagValue[0]
if len(tagValue) >= 1 {
packetHeader.TargetLayer = tagValue[0]
}
case TagIntent:
packetHeader.IntentID = tagValue[0]
if len(tagValue) >= 1 {
packetHeader.IntentID = tagValue[0]
}
case TagThreatScore:
packetHeader.ThreatScore = binary.BigEndian.Uint16(tagValue)
if len(tagValue) >= 2 {
packetHeader.ThreatScore = binary.BigEndian.Uint16(tagValue)
}
case TagHMAC:
hmacSignature = tagValue
}