Skip to content

Security: bufferToUInt reads beyond buffer length without bounds check#2665

Open
kumburovicbranko682-boop wants to merge 1 commit into
WhiskeySockets:masterfrom
kumburovicbranko682-boop:contribai/fix/security/buffertouint-reads-beyond-buffer-length-
Open

Security: bufferToUInt reads beyond buffer length without bounds check#2665
kumburovicbranko682-boop wants to merge 1 commit into
WhiskeySockets:masterfrom
kumburovicbranko682-boop:contribai/fix/security/buffertouint-reads-beyond-buffer-length-

Conversation

@kumburovicbranko682-boop

@kumburovicbranko682-boop kumburovicbranko682-boop commented Jun 27, 2026

Copy link
Copy Markdown

Problem

getBinaryNodeChildUInt calls bufferToUInt(buff, length) but never validates that buff.length >= length. Since buff comes from decoded binary protocol nodes (getBinaryNodeChildBuffer), a malformed or truncated message from the WhatsApp server (or a MITM) can cause out-of-bounds reads. In Node.js, reading beyond a Buffer returns undefined, producing NaN (256 * a + undefined), which silently corrupts downstream logic that relies on these integer fields for protocol handling (e.g., parsing device IDs, version numbers, counters).

Severity: medium
File: src/WABinary/generic-utils.ts

Solution

In getBinaryNodeChildUInt, add a length guard before calling bufferToUInt:

Changes

  • src/WABinary/generic-utils.ts (modified)

Testing

  • Existing tests pass
  • Manual review completed
  • No new warnings/errors introduced

Summary by cubic

Add a bounds check in getBinaryNodeChildUInt to ensure the buffer is at least the requested length before calling bufferToUInt. This prevents out-of-bounds reads from malformed or truncated protocol nodes and avoids NaN values that could corrupt parsing state.

Written for commit 9a1caa0. Summary will update on new commits.

Review in cubic

Summary by CodeRabbit

  • Bug Fixes
    • Improved binary value handling by validating that a retrieved buffer is present and long enough before converting it to an unsigned integer.
    • Reduced the chance of incorrect numeric parsing when binary data is shorter than expected.

…out bounds check

`getBinaryNodeChildUInt` calls `bufferToUInt(buff, length)` but never validates that `buff.length >= length`. Since `buff` comes from decoded binary protocol nodes (`getBinaryNodeChildBuffer`), a malformed or truncated message from the WhatsApp server (or a MITM) can cause out-of-bounds reads. In Node.js, reading beyond a Buffer returns `undefined`, producing `NaN` (256 * a + undefined), which silently corrupts downstream logic that relies on these integer fields for protocol handling (e.g., parsing device IDs, version numbers, counters).


Affected files: generic-utils.ts

Signed-off-by: kumburovicbranko682-boop <295886834+kumburovicbranko682-boop@users.noreply.github.com>
@whiskeysockets-bot

Copy link
Copy Markdown
Contributor

Thanks for opening this pull request and contributing to the project!

The next step is for the maintainers to review your changes. If everything looks good, it will be approved and merged into the main branch.

In the meantime, anyone in the community is encouraged to test this pull request and provide feedback.

✅ How to confirm it works

If you’ve tested this PR, please comment below with:

Tested and working ✅

This helps us speed up the review and merge process.

📦 To test this PR locally:

# NPM
npm install @whiskeysockets/baileys@kumburovicbranko682-boop/Baileys#contribai/fix/security/buffertouint-reads-beyond-buffer-length-

# Yarn (v2+)
yarn add @whiskeysockets/baileys@kumburovicbranko682-boop/Baileys#contribai/fix/security/buffertouint-reads-beyond-buffer-length-

# PNPM
pnpm add @whiskeysockets/baileys@kumburovicbranko682-boop/Baileys#contribai/fix/security/buffertouint-reads-beyond-buffer-length-

If you encounter any issues or have feedback, feel free to comment as well.

@coderabbitai

coderabbitai Bot commented Jun 27, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: b3630e3f-12ba-413d-af4e-8007e7cdee8c

📥 Commits

Reviewing files that changed from the base of the PR and between 731cd6b and 9a1caa0.

📒 Files selected for processing (1)
  • src/WABinary/generic-utils.ts

📝 Walkthrough

Walkthrough

getBinaryNodeChildUInt now verifies that a child buffer exists and is long enough before converting it to an unsigned integer.

Changes

Binary child integer guard

Layer / File(s) Summary
Length guard
src/WABinary/generic-utils.ts
getBinaryNodeChildUInt now requires the child buffer to meet the requested length before calling bufferToUInt.

Sequence Diagram(s)

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

A tiny byte guard, firm and spry,
Saved the rabbit’s nibble pie 🥧🐰
If buffers short, we let them be,
If long enough, integers flee!
Hop-hop, the bits align just right.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly describes the security fix and the missing buffer-length bounds check in the changed code.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint install failed. For unrecoverable errors, disable the tool in CodeRabbit configuration.


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 1 file

Re-trigger cubic

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: Backlog

Development

Successfully merging this pull request may close these issues.

2 participants