add missing checks to read_message

the method was missing checks not only for if the handshake was already finished, but if it was not one's turn to read in the handshake. closes mcginty#94
nickray · Jul 6, 2020 · 4373a51 · 4373a51
1 parent 81d8871
commit 4373a51
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 1 deletion.
diff --git a/src/handshakestate.rs b/src/handshakestate.rs
@@ -350,8 +350,11 @@ impl HandshakeState {
     fn _read_message(&mut self, message: &[u8], payload: &mut [u8]) -> Result<usize, Error> {
         if message.len() > MAXMSGLEN {
             bail!(Error::Input);
+        } else if self.my_turn {
+            bail!(StateProblem::NotTurnToRead);
+        } else if self.pattern_position >= self.message_patterns.len() {
+            bail!(StateProblem::HandshakeAlreadyFinished);
         }
-
         let last = self.pattern_position == (self.message_patterns.len() - 1);
 
         let dh_len = self.dh_len();

diff --git a/tests/general.rs b/tests/general.rs
@@ -786,3 +786,21 @@ fn test_stateless_sanity_session() {
     let len = h_r.read_message(1337, &buffer_msg[..len], &mut buffer_out).unwrap();
     assert_eq!(&buffer_out[..len], b"hack the planet");
 }
+
+#[test]
+fn test_handshake_read_oob_error() {
+    let params: NoiseParams = "Noise_NN_25519_ChaChaPoly_SHA256".parse().unwrap();
+    let mut h_i = Builder::new(params.clone()).build_initiator().unwrap();
+    let mut h_r = Builder::new(params).build_responder().unwrap();
+
+    let mut buffer_msg = [0u8; 200];
+    let mut buffer_out = [0u8; 200];
+    let len = h_i.write_message(b"abc", &mut buffer_msg).unwrap();
+    h_r.read_message(&buffer_msg[..len], &mut buffer_out).unwrap();
+
+    let len = h_r.write_message(b"defg", &mut buffer_msg).unwrap();
+    h_i.read_message(&buffer_msg[..len], &mut buffer_out).unwrap();
+
+    // This shouldn't panic, but it *should* return an error.
+    let _ = h_i.read_message(&buffer_msg[..len], &mut buffer_out);
+}