From d940514bf18fef7014cdb8d944a96e8cffb28771 Mon Sep 17 00:00:00 2001
From: Anthony Kirby <anthony@anthony.org>
Date: Thu, 9 Nov 2023 00:13:08 +0000
Subject: [PATCH] add sanity checks on buffer length in fromWire (#118)

fixes #114 (thank you @aqllmcdavid for the report)
---
 README.md             |  6 ++++++
 src/lib/LoraPacket.ts | 12 ++++++++++++
 2 files changed, 18 insertions(+)

diff --git a/README.md b/README.md
index 36916f9..3db75d1 100644
--- a/README.md
+++ b/README.md
@@ -291,6 +291,10 @@ you'll find helpful.
 
 #### Version history
 
+(unreleased)
+- - sanity checks in fromWire
+- - fix parsing RejoinRequest
+
 - 0.8.24 bump crypto-js to 4.2.0 (CVE-2023-46233)
 - 0.8.23 bump @babel/traverse to 7.23.2
 - 0.8.22 add WOR keys
@@ -355,3 +359,5 @@ you'll find helpful.
 - Thank you to [kalik1](https://github.com/kalik1)
 - Thank you to [Pierre PLR](https://github.com/pplr)
 - Thank you to [Ricardo Stoklosa](https://github.com/RicardoStoklosa)
+- Thank you to [Lucas](https://github.com/aqllmcdavid)
+
diff --git a/src/lib/LoraPacket.ts b/src/lib/LoraPacket.ts
index 48c052b..d832efa 100644
--- a/src/lib/LoraPacket.ts
+++ b/src/lib/LoraPacket.ts
@@ -142,10 +142,16 @@ class LoraPacket {
     const mtype = this._getMType();
 
     if (mtype == MType.JOIN_REQUEST) {
+      if (incoming.length < 5 + 18) {
+        throw new Error("contents too short for a Join Request");
+      }
       this.AppEUI = reverseBuffer(incoming.slice(1, 1 + 8));
       this.DevEUI = reverseBuffer(incoming.slice(9, 9 + 8));
       this.DevNonce = reverseBuffer(incoming.slice(17, 17 + 2));
     } else if (mtype == MType.JOIN_ACCEPT) {
+      if (incoming.length < 5 + 12) {
+        throw new Error("contents too short for a Join Accept");
+      }
       this.AppNonce = reverseBuffer(incoming.slice(1, 1 + 3));
       this.NetID = reverseBuffer(incoming.slice(4, 4 + 3));
       this.DevAddr = reverseBuffer(incoming.slice(7, 7 + 4));
@@ -161,10 +167,16 @@ class LoraPacket {
     } else if (mtype == MType.REJOIN_REQUEST) {
       this.RejoinType = incoming.slice(1, 1 + 1);
       if (this.RejoinType[0] === 0 || this.RejoinType[0] === 2) {
+        if (incoming.length < 5 + 14) {
+          throw new Error("contents too short for a Rejoin Request (Type 0/2)");
+        }
         this.NetID = reverseBuffer(incoming.slice(2, 2 + 3));
         this.DevEUI = reverseBuffer(incoming.slice(5, 5 + 8));
         this.RJCount0 = reverseBuffer(incoming.slice(13, 13 + 2));
       } else if (this.RejoinType[0] === 1) {
+        if (incoming.length < 5 + 19) {
+          throw new Error("contents too short for a Rejoin Request (Type 1)");
+        }
         this.JoinEUI = reverseBuffer(incoming.slice(2, 2 + 8));
         this.DevEUI = reverseBuffer(incoming.slice(10, 10 + 8));
         this.RJCount1 = reverseBuffer(incoming.slice(18, 18 + 2));