From 95c1528342c83a8ec599b2f49957d840d9695e8f Mon Sep 17 00:00:00 2001
From: Maxime Coste <mawww@kakoune.org>
Date: Thu, 1 Dec 2016 19:45:23 +0000
Subject: [PATCH] Fix crash when a client sends a packet advertising a wrong
 size

If the given size is less than the header size, the message is
clearly invalid, disconnect the client in that case.
---
 src/remote.cc | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/remote.cc b/src/remote.cc
index 7d44c2e5..5e8de3f2 100644
--- a/src/remote.cc
+++ b/src/remote.cc
@@ -153,7 +153,11 @@ public:
             m_stream.resize(header_size);
             read_from_socket(sock, header_size - m_write_pos);
             if (m_write_pos == header_size)
+            {
+                if (size() < header_size)
+                    throw remote_error{"invalid message received"};
                 m_stream.resize(size());
+            }
         }
         else
             read_from_socket(sock, size() - m_write_pos);
@@ -234,6 +238,7 @@ public:
 private:
     void read_from_socket(int sock, size_t size)
     {
+        kak_assert(m_write_pos + size <= m_stream.size());
         int res = ::read(sock, m_stream.data() + m_write_pos, size);
         if (res <= 0)
             throw remote_error{res ? "peer disconnected"