add checks for integer overflows

neicnordic · Aug 21, 2024 · a131bdd · a131bdd
1 parent bdd76a0
commit a131bdd
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 3 deletions.
diff --git a/sda-download/api/sda/sda_test.go b/sda-download/api/sda/sda_test.go
@@ -677,7 +677,8 @@ func (f *fakeGRPC) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	_, err = w.Write([]byte{0})
 	assert.NoError(f.t, err, "Could not write response flag")
 
-	err = binary.Write(w, binary.BigEndian, int32(len(response)))
+	assert.Less(f.t, len(response), int(^uint32(0)), "Response too long")
+	err = binary.Write(w, binary.BigEndian, int32(len(response))) //nolint:gosec // we're checking the length above
 	assert.NoError(f.t, err, "Could not write response length")
 
 	_, err = w.Write(response)

diff --git a/sda/cmd/reencrypt/reencrypt.go b/sda/cmd/reencrypt/reencrypt.go
@@ -55,10 +55,15 @@ func (s *server) ReencryptHeader(_ context.Context, in *re.ReencryptRequest) (*r
 
 	if len(dataEditList) > 0 { // linter doesn't like checking for nil before len
 
-		// Only do this if we're passed a data edit list
+		// Check that G115: integer overflow conversion int -> uint32 is satisfied
+		if len(dataEditList) > int(^uint32(0)) {
+			return nil, status.Error(400, "data edit list too long")
+		}
+
+		// Only do this if we're passed a data edit whose length fits in a uint32
 		dataEditListPacket := headers.DataEditListHeaderPacket{
 			PacketType:    headers.PacketType{PacketType: headers.DataEditList},
-			NumberLengths: uint32(len(dataEditList)),
+			NumberLengths: uint32(len(dataEditList)), //nolint:gosec // we're checking the length above
 			Lengths:       dataEditList,
 		}
 		extraHeaderPackets = append(extraHeaderPackets, dataEditListPacket)