Avoid dynamically adding stack memory for nonce2 in the stratum send thread and check the pool's nonce2_len will not cause an overflow.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45
diff --git a/cgminer.c b/cgminer.c
index 2936eeb..59ab32c 100644
--- a/cgminer.c
+++ b/cgminer.c
@@ -5213,12 +5213,12 @@ static void *stratum_sthread(void *userdata)
quit(1, "Failed to create stratum_q in stratum_sthread");
while (42) {
- char *noncehex, *nonce2, *nonce2hex;
struct stratum_share *sshare;
+ char *noncehex, *nonce2hex;
uint32_t *hash32, nonce;
+ char s[1024], nonce2[8];
struct work *work;
bool submitted;
- char s[1024];
if (unlikely(pool->removed))
break;
@@ -5227,6 +5227,14 @@ static void *stratum_sthread(void *userdata)
if (unlikely(!work))
quit(1, "Stratum q returned empty work");
+ if (unlikely(work->nonce2_len > 8)) {
+ applog(LOG_ERR, "Pool %d asking for inappropriately long nonce2 length %d",
+ pool->pool_no, (int)work->nonce2_len);
+ applog(LOG_ERR, "Not attempting to submit shares");
+ free_work(work);
+ continue;
+ }
+
sshare = calloc(sizeof(struct stratum_share), 1);
hash32 = (uint32_t *)work->hash;
submitted = false;
@@ -5243,8 +5251,8 @@ static void *stratum_sthread(void *userdata)
sshare->id = swork_id++;
mutex_unlock(&sshare_lock);
- nonce2 = alloca(work->nonce2_len);
- memset(nonce2, 0, work->nonce2_len);
+ memset(nonce2, 0, 8);
+ /* We only use uint32_t sized nonce2 increments internally */
memcpy(nonce2, &work->nonce2, sizeof(uint32_t));
nonce2hex = bin2hex((const unsigned char *)nonce2, work->nonce2_len);
if (unlikely(!nonce2hex))