Skip to content

fix(teleport): reject negative message length in Unpack to avoid panic#138

Open
SAY-5 wants to merge 1 commit into
andeya:masterfrom
SAY-5:fix-unpack-negative-length
Open

fix(teleport): reject negative message length in Unpack to avoid panic#138
SAY-5 wants to merge 1 commit into
andeya:masterfrom
SAY-5:fix-unpack-negative-length

Conversation

@SAY-5

@SAY-5 SAY-5 commented Jun 18, 2026

Copy link
Copy Markdown

Fixes #136.

Protocol.Unpack reads the message length from the packet header as a signed int32 via BytesToInt. When a malformed packet carries a negative length, the existing length < ...+messageLength guard passes (the right side shrinks), so the code slices buffer[start : start+messageLength] with a high bound below the low bound and panics with slice bounds out of range.

Added a messageLength < 0 check to the same guard so a bad length is treated like a short buffer and the loop breaks, leaving the bytes in bufferOver. Added a regression test that panics without the guard.

Signed-off-by: Sai Asish Y <say.apm35@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Bug] protocol.go: BytesToInt lacks buffer bounds checking

1 participant