Bound the number of friends you can have to ~4 billion.

If you have UINT32_MAX friends, then adding one more friend will cause an overflow of the friend list (wrap to 0) and result in all friends being deleted. This subsequently results in a null pointer dereference when we're trying to add one friend to the deleted friend list.
TokTok · Apr 29, 2020 · 7edc0a5 · 7edc0a5
1 parent de3c21b
commit 7edc0a5
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/toxcore/Messenger.c b/toxcore/Messenger.c
@@ -161,6 +161,12 @@ static int m_handle_lossy_packet(void *object, int friend_num, const uint8_t *pa
 
 static int32_t init_new_friend(Messenger *m, const uint8_t *real_pk, uint8_t status)
 {
+    if (m->numfriends == UINT32_MAX) {
+        LOGGER_ERROR(m->log, "Friend list full: we have more than 4 billion friends");
+        /* This is technically incorrect, but close enough. */
+        return FAERR_NOMEM;
+    }
+
     /* Resize the friend list if necessary. */
     if (realloc_friendlist(m, m->numfriends + 1) != 0) {
         return FAERR_NOMEM;