From 6d7289f74a94e4f6585d158d3073bb15f8e2f085 Mon Sep 17 00:00:00 2001
From: Ylian Saint-Hilaire <ysainthilaire@hotmail.com>
Date: Fri, 30 Jul 2021 11:18:38 -0700
Subject: [PATCH] Added command length guard to desktop multiplexor.

---
 meshdesktopmultiplex.js | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meshdesktopmultiplex.js b/meshdesktopmultiplex.js
index 0e2daefc..1cbd2a9b 100644
--- a/meshdesktopmultiplex.js
+++ b/meshdesktopmultiplex.js
@@ -471,6 +471,8 @@ function CreateDesktopMultiplexor(parent, domain, nodeid, func) {
         if ((typeof data != 'object') || (data.length < 4)) return; // Ignore all control traffic for now (WebRTC)
         var command = data.readUInt16BE(0);
         var cmdsize = data.readUInt16BE(2);
+        if (data.length != cmdsize) return; // Invalid command length
+
         //console.log('ViewerData', data.length, command, cmdsize);
         switch (command) {
             case 1: // Key Events, forward to agent