Merge pull request #205 from expressvpn/cvpn-2035-fix

kp-mariappan-ramasamy · web-flow · commit 376df03bb311 · 2025-06-06T18:48:41.000+08:00
CVPN-2035: Fix using correct struct for validating length
diff --git a/src/he/msg_handlers.c b/src/he/msg_handlers.c
@@ -279,7 +279,7 @@ he_return_code_t he_handle_msg_auth(he_conn_t *conn, uint8_t *packet, int length
 
         // Check the auth token length
         uint16_t auth_token_length = ntohs(msg_token->token_length);
-        if(auth_token_length > (length - sizeof(he_msg_auth_hdr_t))) {
+        if(auth_token_length > (length - sizeof(he_msg_auth_token_t))) {
           return HE_ERR_PACKET_TOO_SMALL;
         }
         auth_state = conn->auth_token_cb(conn, msg_token->token, auth_token_length, conn->data);
@@ -298,7 +298,7 @@ he_return_code_t he_handle_msg_auth(he_conn_t *conn, uint8_t *packet, int length
 
         // Check the auth buffer length
         uint16_t auth_buf_length = ntohs(msg_buf->buffer_length);
-        if(auth_buf_length > (length - sizeof(he_msg_auth_hdr_t))) {
+        if(auth_buf_length > (length - sizeof(he_msg_auth_buf_t))) {
           return HE_ERR_PACKET_TOO_SMALL;
         }
         auth_state = conn->auth_buf_cb(conn, msg_buf->header.auth_type, msg_buf->buffer,
diff --git a/test/he/test_msg_handlers.c b/test/he/test_msg_handlers.c
@@ -837,6 +837,14 @@ void test_msg_auth_token_packet_too_small(void) {
   // Call with a small size to trigger the size check
   he_return_code_t res = he_handle_msg_auth(conn, empty_data, 4);
   TEST_ASSERT_EQUAL(HE_ERR_PACKET_TOO_SMALL, res);
+
+  auth_message->header.auth_type = HE_AUTH_TYPE_TOKEN;
+  // Fake buffer length
+  auth_message->token_length = ntohs(4);
+
+  // Call with a small size to trigger the size check
+  res = he_handle_msg_auth(conn, empty_data, sizeof(he_msg_auth_token_t) + 2);
+  TEST_ASSERT_EQUAL(HE_ERR_PACKET_TOO_SMALL, res);
 }
 
 void test_msg_auth_token_packet_invalid_length(void) {
@@ -906,6 +914,14 @@ void test_msg_auth_buf_packet_too_small(void) {
   // Call with a small size to trigger the size check
   he_return_code_t res = he_handle_msg_auth(conn, empty_data, 4);
   TEST_ASSERT_EQUAL(HE_ERR_PACKET_TOO_SMALL, res);
+
+  auth_message->header.auth_type = HE_AUTH_TYPE_CB;
+  // Fake buffer length
+  auth_message->buffer_length = ntohs(4);
+
+  // Call with a small size to trigger the size check
+  res = he_handle_msg_auth(conn, empty_data, sizeof(he_msg_auth_buf_t) + 2);
+  TEST_ASSERT_EQUAL(HE_ERR_PACKET_TOO_SMALL, res);
 }
 
 void test_msg_auth_buf_packet_invalid_length(void) {
