Infinite loop when decoding a wrong zero-padded AVP

Question

Infinite loop when decoding a wrong zero-padded AVP

Opened this issue 7 years ago · 0 comments

There is a bug in decodeAvp() method of org.jdiameter.client.impl.parser.ElementParser class.

The bug is how the padding bytes are skipped (ElementParser.java lines 299-303):

      if (length % 4 != 0) { 
         for (int i; length % 4 != 0; length += i) { 
           i = (int) in.skip((4 - length % 4)); 
         } 
       }

If the bytes to skip are greater than the bytes available in the ByteArrayInputStream, the loop for above becomes infinite: in the first iteration in.skip() will return the skipped number of bytes (less than the requested) and in subsequent invocations in.skip() will return 0. So the loop never ends.

My proposed modification is:

        if (length % 4 != 0) {
            int paddingBytes = 4 - length % 4;
            if ((int) in.skip(paddingBytes) < paddingBytes) {
                throw new AvpDataException("Not enough data in buffer (padding bytes)!");
            }
            length += paddingBytes;
        }

As the padding bytes are 1 to 3, this is a very uncommon situation, but it can happens when the wrong padded AVP is the last AVP in the diameter message.