Buffer overflow with RSA 4096 in streaming when signature included

[majestrate]

---

By submitting this issue, I confirm the following:

• I have read and understood the contributor guide in kovri-docs.
• I have checked that the issue I am reporting can be replicated or that the feature I am suggesting is not present.
• I have checked opened or recently closed pull requests for existing solutions/implementations to my issue/suggestion.

---

https://github.com/monero-project/kovri/blob/master/src/client/api/streaming.cc#L271-L273 vs 512 bytes signature

fixed in i2pd 2.17.0

[anonimal]

Thank you for the report, @majestrate.

As noted, the issue resides with i2pd code that has yet to be reviewed for QA and subsequently rewritten; similar to this report and as noted in #511, #366, #643, and others. Note: the same applies to all datagram/streaming code.

Ironically, the currently open #755 (with my patches noted in the comments but not yet PR'd) would've resolved this issue at the signature level but a trivial patch should be applied in the meantime.

[majestrate]

CVE 2017-17066 was also fixed in 2.17.0

[anonimal]

Yes, as noted in the report and #759, we've already resolved that. Thanks again.