[taler-merchant] branch master updated: fix #8658

gnunet-svn

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[taler-merchant] branch master updated: fix #8658

From:	gnunet
Subject:	[taler-merchant] branch master updated: fix #8658
Date:	Fri, 22 Mar 2024 14:13:37 +0100

This is an automated email from the git hooks/post-receive script.

grothoff pushed a commit to branch master
in repository merchant.

The following commit(s) were added to refs/heads/master by this push:
     new 2c9b6f56 fix #8658
2c9b6f56 is described below

commit 2c9b6f560613623923304c9cdbc9ea6463f594f3
Author: Christian Grothoff <christian@grothoff.org>
AuthorDate: Fri Mar 22 14:13:33 2024 +0100

    fix #8658
---
 src/lib/merchant_api_get_config.c | 61 +++++++++++++++++++++++++++------------
 1 file changed, 43 insertions(+), 18 deletions(-)

diff --git a/src/lib/merchant_api_get_config.c 
b/src/lib/merchant_api_get_config.c
index d75adab7..1aee6ed6 100644
--- a/src/lib/merchant_api_get_config.c
+++ b/src/lib/merchant_api_get_config.c
@@ -1,6 +1,6 @@
 /*
   This file is part of TALER
-  Copyright (C) 2014-2023 Taler Systems SA
+  Copyright (C) 2014-2024 Taler Systems SA
 
   TALER is free software; you can redistribute it and/or modify it under the
   terms of the GNU Lesser General Public License as published by the Free 
Software
@@ -41,6 +41,15 @@
  */
 #define MERCHANT_PROTOCOL_AGE 1
 
+/**
+ * How many exchanges do we allow at most per merchant?
+ */
+#define MAX_EXCHANGES 1024
+
+/**
+ * How many currency specs do we allow at most per merchant?
+ */
+#define MAX_CURRENCIES 1024
 
 /**
  * @brief A handle for /config operations
@@ -108,6 +117,7 @@ handle_config_finished (void *cls,
       const json_t *exchanges = NULL;
       struct TALER_MERCHANT_ExchangeConfigInfo *eci = NULL;
       unsigned int num_eci = 0;
+      unsigned int nspec;
       struct TALER_JSON_ProtocolVersion pv;
       struct GNUNET_JSON_Specification spec[] = {
         GNUNET_JSON_spec_object_const ("currencies",
@@ -136,26 +146,42 @@ handle_config_finished (void *cls,
         GNUNET_break_op (0);
         cr.hr.http_status = 0;
         cr.hr.ec = TALER_EC_GENERIC_INVALID_RESPONSE;
+        break;
       }
-      else
+      cr.details.ok.compat = TALER_MERCHANT_VC_MATCH;
+      if (MERCHANT_PROTOCOL_CURRENT < pv.current)
       {
-        cr.details.ok.compat = TALER_MERCHANT_VC_MATCH;
-        if (MERCHANT_PROTOCOL_CURRENT < pv.current)
-        {
-          cr.details.ok.compat |= TALER_MERCHANT_VC_NEWER;
-          if (MERCHANT_PROTOCOL_CURRENT < pv.current - pv.age)
-            cr.details.ok.compat |= TALER_MERCHANT_VC_INCOMPATIBLE;
-        }
-        if (MERCHANT_PROTOCOL_CURRENT > pv.current)
-        {
-          cr.details.ok.compat |= TALER_MERCHANT_VC_OLDER;
-          if (MERCHANT_PROTOCOL_CURRENT - MERCHANT_PROTOCOL_AGE > pv.current)
-            cr.details.ok.compat |= TALER_MERCHANT_VC_INCOMPATIBLE;
-        }
+        cr.details.ok.compat |= TALER_MERCHANT_VC_NEWER;
+        if (MERCHANT_PROTOCOL_CURRENT < pv.current - pv.age)
+          cr.details.ok.compat |= TALER_MERCHANT_VC_INCOMPATIBLE;
+      }
+      if (MERCHANT_PROTOCOL_CURRENT > pv.current)
+      {
+        cr.details.ok.compat |= TALER_MERCHANT_VC_OLDER;
+        if (MERCHANT_PROTOCOL_CURRENT - MERCHANT_PROTOCOL_AGE > pv.current)
+          cr.details.ok.compat |= TALER_MERCHANT_VC_INCOMPATIBLE;
+      }
+
+      nspec = (unsigned int) json_object_size (jcs);
+      if ( (nspec > MAX_CURRENCIES) ||
+           (json_object_size (jcs) != (size_t) nspec) )
+      {
+        GNUNET_break_op (0);
+        cr.hr.http_status = 0;
+        cr.hr.ec = TALER_EC_GENERIC_INVALID_RESPONSE;
+        break;
       }
       if (NULL != exchanges)
       {
-        num_eci = json_object_size (exchanges);
+        num_eci = (unsigned int) json_object_size (exchanges);
+        if ( (num_eci > MAX_EXCHANGES) ||
+             (json_object_size (exchanges) != (size_t) num_eci) )
+        {
+          GNUNET_break_op (0);
+          cr.hr.http_status = 0;
+          cr.hr.ec = TALER_EC_GENERIC_INVALID_RESPONSE;
+          break;
+        }
         eci = GNUNET_new_array (num_eci,
                                 struct TALER_MERCHANT_ExchangeConfigInfo);
         for (unsigned int i = 0; i<num_eci; i++)
@@ -187,7 +213,6 @@ handle_config_finished (void *cls,
         }
       }
       {
-        unsigned int nspec = json_object_size (jcs);
         struct TALER_CurrencySpecification *cspecs;
         unsigned int off = 0;
         json_t *obj;
@@ -197,7 +222,7 @@ handle_config_finished (void *cls,
                                    struct TALER_CurrencySpecification);
         cr.details.ok.num_cspecs = nspec;
         cr.details.ok.cspecs = cspecs;
-        cr.details.ok.num_exchanges = num_eci;
+        cr.details.ok.num_exchanges = (unsigned int) num_eci;
         cr.details.ok.exchanges = eci;
         json_object_foreach ((json_t *) jcs, curr, obj)
         {

-- 
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.

[Prev in Thread]

Current Thread

[Next in Thread]

[taler-merchant] branch master updated: fix #8658, gnunet <=

Prev by Date: [taler-merchant] branch master updated: add logic to preserve and possibly update minimum_age in contract terms
Next by Date: [taler-merchant] branch master updated: fix error handling logic in merchant_api_get_config
Previous by thread: [taler-merchant] branch master updated: add logic to preserve and possibly update minimum_age in contract terms
Next by thread: [taler-merchant] branch master updated: fix error handling logic in merchant_api_get_config
Index(es):
- Date
- Thread