From a7065cf3a3dcd36d0b47e9c25acdf30189019f9c Mon Sep 17 00:00:00 2001
From: Eugene Crosser <crosser@average.org>
Date: Tue, 14 Jun 2022 21:17:09 +0200
Subject: [PATCH] Drop data if we are receiving junk

Fix problem discovered by fuzzing
---
 gps303/collector.py | 19 ++++++++++++++-----
 gps303/zmsg.py      |  2 +-
 2 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/gps303/collector.py b/gps303/collector.py
index 00594e1..28ee4a8 100644
--- a/gps303/collector.py
+++ b/gps303/collector.py
@@ -21,6 +21,8 @@ from .zmsg import Bcast, Resp
 
 log = getLogger("gps303/collector")
 
+MAXBUFFER: int = 4096
+
 
 class Client:
     """Connected socket to the terminal plus buffer and metadata"""
@@ -39,7 +41,7 @@ class Client:
     def recv(self) -> Optional[List[Tuple[float, Tuple[str, int], bytes]]]:
         """Read from the socket and parse complete messages"""
         try:
-            segment = self.sock.recv(4096)
+            segment = self.sock.recv(MAXBUFFER)
         except OSError as e:
             log.warning(
                 "Reading from fd %d (IMEI %s): %s",
@@ -57,6 +59,10 @@ class Client:
             return None
         when = time()
         self.buffer += segment
+        if len(self.buffer) > MAXBUFFER:
+            # We are receiving junk. Let's drop it or we run out of memory.
+            log.warning("More than %d unparseable data, dropping", MAXBUFFER)
+            self.buffer = b""
         msgs = []
         while True:
             framestart = self.buffer.find(b"xx")
@@ -64,8 +70,9 @@ class Client:
                 break
             if framestart > 0:  # Should not happen, report
                 log.warning(
-                    'Undecodable data "%s" from fd %d (IMEI %s)',
-                    self.buffer[:framestart].hex(),
+                    'Undecodable data (%d) "%s" from fd %d (IMEI %s)',
+                    framestart,
+                    self.buffer[:framestart][:64].hex(),
                     self.sock.fileno(),
                     self.imei,
                 )
@@ -82,8 +89,10 @@ class Client:
             # Do this embarrassing hack to avoid accidental match
             # of some binary data in the packet against '\r\n'.
             while True:
-                frameend = self.buffer.find(b"\r\n", frameend)
-                if frameend >= (exp_end - 3):  # Found realistic match
+                frameend = self.buffer.find(b"\r\n", frameend + 1)
+                if frameend == -1 or frameend >= (
+                    exp_end - 3
+                ):  # Found realistic match or none
                     break
             if frameend == -1:  # Incomplete frame, return what we have
                 break
diff --git a/gps303/zmsg.py b/gps303/zmsg.py
index 73a4f80..2d497c0 100644
--- a/gps303/zmsg.py
+++ b/gps303/zmsg.py
@@ -119,7 +119,7 @@ class Bcast(_Zmsg):
                 "BB16s",
                 int(self.is_incoming),
                 self.proto,
-                "0000000000000000"
+                b"0000000000000000"
                 if self.imei is None
                 else self.imei.encode(),
             )
-- 
2.43.0