introduce more message parsing checks

These checks may provide hints for Coverity.

1 files changed, 30 insertions, 3 deletions

diff --git a/src/testbed/testbed_api.c b/src/testbed/testbed_api.c
index 7c0ed1f029..6fec82ab25 100644
--- a/src/testbed/testbed_api.c
+++ b/src/testbed/testbed_api.c
@@ -1242,16 +1242,43 @@ handle_barrier_status (void *cls,
   emsg = NULL;
   barrier = NULL;
   msize = ntohs (msg->header.size);
+  if (msize <= sizeof (struct GNUNET_TESTBED_BarrierStatusMsg))
+  {
+    GNUNET_break_op (0);
+    goto cleanup;
+  }
   name = msg->data;
   name_len = ntohs (msg->name_len);
+  if (name_len >=  //name_len is strlen(barrier_name)
+      (msize - ((sizeof msg->header) + sizeof (msg->status)) )   )
+  {
+    GNUNET_break_op (0);
+    goto cleanup;
+  }
+  if ('\0' != name[name_len])
+  {
+    GNUNET_break_op (0);
+    goto cleanup;
+  }
   LOG_DEBUG ("Received BARRIER_STATUS msg\n");
   status = ntohs (msg->status);
   if (GNUNET_TESTBED_BARRIERSTATUS_ERROR == status)
   {
     status = -1;
-    emsg_len = msize - (sizeof (struct GNUNET_TESTBED_BarrierStatusMsg) + name_len
-                        + 1);
-    emsg = GNUNET_malloc (emsg_len + 1);
+    //unlike name_len, emsg_len includes the trailing zero
+    emsg_len = msize - (sizeof (struct GNUNET_TESTBED_BarrierStatusMsg)
+                        + (name_len + 1));
+    if (0 == emsg_len)
+    {
+      GNUNET_break_op (0);
+      goto cleanup;
+    }
+    if ('\0' != (msg->data[(name_len + 1) + (emsg_len - 1)]))
+    {
+      GNUNET_break_op (0);
+      goto cleanup;
+    }
+    emsg = GNUNET_malloc (emsg_len);
     memcpy (emsg,
             msg->data + name_len + 1,
             emsg_len);