From c196780378d49c786a8d56fb9444503a9816d526 Mon Sep 17 00:00:00 2001
From: xywang <xywang@taosdata.com>
Date: Tue, 25 Jan 2022 14:17:32 +0800
Subject: [PATCH] [TS-487]<fix>: added length check for udp rpc

---
 src/rpc/src/rpcUdp.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/rpc/src/rpcUdp.c b/src/rpc/src/rpcUdp.c
index a908059d5e..c8a16be162 100644
--- a/src/rpc/src/rpcUdp.c
+++ b/src/rpc/src/rpcUdp.c
@@ -186,9 +186,11 @@ static void *taosRecvUdpData(void *param) {
   SUdpConn          *pConn = param;
   struct sockaddr_in sourceAdd;
   ssize_t            dataLen;
+  int32_t            msgLen;
   unsigned int       addLen;
   uint16_t           port;
   SRecvInfo          recvInfo;
+  SRpcHead          *pHead;
 
   memset(&sourceAdd, 0, sizeof(sourceAdd));
   addLen = sizeof(sourceAdd);
@@ -218,6 +220,13 @@ static void *taosRecvUdpData(void *param) {
       continue;
     }
 
+    pHead = (SRpcHead *)msg;
+    msgLen = (int32_t)htonl((uint32_t)pHead->msgLen);
+    if (dataLen < msgLen) {
+      tError("%s recvfrom failed(%s): dataLen: %ld, msgLen: %d", pConn->label, strerror(errno), (long)dataLen, msgLen);
+      continue;
+    }
+
     int32_t size = dataLen + tsRpcOverhead;
     char *tmsg = malloc(size);
     if (NULL == tmsg) {
-- 
GitLab