[ntcore] Check id ranges in control messages (#7726)

2026-06-27 02:01:42 +00:00 · 2025-06-18 22:03:24 -06:00
parent edde38a41a
commit 676f2f84d7
3 changed files with 64 additions and 0 deletions
--- a/ntcore/src/main/native/cpp/net/WireDecoder.cpp
+++ b/ntcore/src/main/native/cpp/net/WireDecoder.cpp
@@ -174,6 +174,12 @@ static bool WireDecodeTextImpl(std::string_view in, T& out,
            goto err;
          }

+          // limit to 32-bit range and exclude endpoints used by DenseMap
+          if (pubuid >= 0x7fffffffLL || pubuid <= (-0x7fffffffLL - 1)) {
+            error = "pubuid out of range";
+            goto err;
+          }
+
          // properties; allow missing (treated as empty)
          wpi::json* properties = nullptr;
          auto propertiesIt = params->find("properties");
@@ -200,6 +206,12 @@ static bool WireDecodeTextImpl(std::string_view in, T& out,
            goto err;
          }

+          // limit to 32-bit range and exclude endpoints used by DenseMap
+          if (pubuid >= 0x7fffffffLL || pubuid <= (-0x7fffffffLL - 1)) {
+            error = "pubuid out of range";
+            goto err;
+          }
+
          // complete
          out.ClientUnpublish(pubuid);
          rv = true;
@@ -231,6 +243,12 @@ static bool WireDecodeTextImpl(std::string_view in, T& out,
            goto err;
          }

+          // limit to 32-bit range and exclude endpoints used by DenseMap
+          if (subuid >= 0x7fffffffLL || subuid <= (-0x7fffffffLL - 1)) {
+            error = "subuid out of range";
+            goto err;
+          }
+
          // options
          PubSubOptionsImpl options;
          auto optionsIt = params->find("options");
@@ -303,6 +321,12 @@ static bool WireDecodeTextImpl(std::string_view in, T& out,
            goto err;
          }

+          // limit to 32-bit range and exclude endpoints used by DenseMap
+          if (subuid >= 0x7fffffffLL || subuid <= (-0x7fffffffLL - 1)) {
+            error = "pubuid out of range";
+            goto err;
+          }
+
          // complete
          out.ClientUnsubscribe(subuid);
          rv = true;
@@ -324,6 +348,12 @@ static bool WireDecodeTextImpl(std::string_view in, T& out,
            goto err;
          }

+          // limit to 32-bit range and exclude endpoints used by DenseMap
+          if (id >= 0x7fffffffLL || id <= (-0x7fffffffLL - 1)) {
+            error = "id out of range";
+            goto err;
+          }
+
          // type
          auto typeStr = ObjGetString(*params, "type", &error);
          if (!typeStr) {
@@ -339,6 +369,13 @@ static bool WireDecodeTextImpl(std::string_view in, T& out,
              error = "pubuid value must be a number";
              goto err;
            }
+
+            // limit to 32-bit range and exclude endpoints used by DenseMap
+            if (val >= 0x7fffffffLL || val <= (-0x7fffffffLL - 1)) {
+              error = "pubuid out of range";
+              goto err;
+            }
+
            pubuid = val;
          }

@@ -369,6 +406,12 @@ static bool WireDecodeTextImpl(std::string_view in, T& out,
            goto err;
          }

+          // limit to 32-bit range and exclude endpoints used by DenseMap
+          if (id >= 0x7fffffffLL || id <= (-0x7fffffffLL - 1)) {
+            error = "id out of range";
+            goto err;
+          }
+
          // complete
          out.ServerUnannounce(*name, id);
        } else if (*method == PropertiesUpdateMsg::kMethodStr) {