Changeset 14301 for branches


Ignore:
Timestamp:
Jun 29, 2014, 1:41:33 AM (7 years ago)
Author:
jordan
Message:

fix tr_bencParseStr() bug reported by Ben Hawkes

Location:
branches/2.8x/libtransmission
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/2.8x/libtransmission/variant-benc.c

    r14241 r14301  
    8585                 size_t *         setme_strlen)
    8686{
     87  const void * end;
    8788  size_t len;
    88   const void * end;
    89   char * endptr;
     89  char * ulend;
     90  const uint8_t * strbegin;
     91  const uint8_t * strend;
    9092
    9193  if (buf >= bufend)
    92     return EILSEQ;
     94    goto err;
    9395
    9496  if (!isdigit (*buf))
    95     return EILSEQ;
     97    goto err;
    9698
    9799  end = memchr (buf, ':', bufend - buf);
    98100  if (end == NULL)
    99     return EILSEQ;
     101    goto err;
    100102
    101103  errno = 0;
    102   len = strtoul ((const char*)buf, &endptr, 10);
    103   if (errno || endptr != end)
    104     return EILSEQ;
    105 
    106   if ((const uint8_t*)end + 1 + len > bufend)
    107     return EILSEQ;
     104  len = strtoul ((const char*)buf, &ulend, 10);
     105  if (errno || ulend != end)
     106    goto err;
     107
     108  strbegin = (const uint8_t*)end + 1;
     109  strend = strbegin + len;
     110  if ((strend<strbegin) || (strend>bufend))
     111    goto err;
    108112
    109113  *setme_end = (const uint8_t*)end + 1 + len;
     
    111115  *setme_strlen = len;
    112116  return 0;
     117
     118err:
     119  *setme_end = NULL;
     120  *setme_str = NULL;
     121  *setme_strlen= 0;
     122  return EILSEQ;
    113123}
    114124
  • branches/2.8x/libtransmission/variant-test.c

    r14241 r14301  
    9595  uint8_t buf[128];
    9696  int err;
     97  int n;
    9798  const uint8_t * end;
    9899  const uint8_t * str;
    99100  size_t len;
    100101
    101   /* good string */
    102   tr_snprintf ((char*)buf, sizeof (buf), "4:boat");
    103   err = tr_bencParseStr (buf, buf + 6, &end, &str, &len);
    104   check_int_eq (0, err);
    105   check_int_eq (4, len);
    106   check (!strncmp ((char*)str, "boat", len));
    107   check (end == buf + 6);
    108   str = NULL;
    109   end = NULL;
    110   len = 0;
    111 
    112   /* string goes past end of buffer */
    113   err = tr_bencParseStr (buf, buf + 5, &end, &str, &len);
     102  /* string len is designed to overflow */
     103  n = tr_snprintf ((char*)buf, sizeof (buf), "%zu:boat", (size_t)(SIZE_MAX-2));
     104  err = tr_bencParseStr (buf, buf+n, &end, &str, &len);
    114105  check_int_eq (EILSEQ, err);
    115106  check_int_eq (0, len);
     
    118109  check (!len);
    119110
     111  /* good string */
     112  n = tr_snprintf ((char*)buf, sizeof (buf), "4:boat");
     113  err = tr_bencParseStr (buf, buf+n, &end, &str, &len);
     114  check_int_eq (0, err);
     115  check_int_eq (4, len);
     116  check (!strncmp ((char*)str, "boat", len));
     117  check (end == buf + 6);
     118  str = NULL;
     119  end = NULL;
     120  len = 0;
     121
     122  /* string goes past end of buffer */
     123  err = tr_bencParseStr (buf, buf+(n-1), &end, &str, &len);
     124  check_int_eq (EILSEQ, err);
     125  check_int_eq (0, len);
     126  check (str == NULL);
     127  check (end == NULL);
     128  check (!len);
     129
    120130  /* empty string */
    121   tr_snprintf ((char*)buf, sizeof (buf), "0:");
    122   err = tr_bencParseStr (buf, buf + 2, &end, &str, &len);
     131  n = tr_snprintf ((char*)buf, sizeof (buf), "0:");
     132  err = tr_bencParseStr (buf, buf+n, &end, &str, &len);
    123133  check_int_eq (0, err);
    124134  check_int_eq (0, len);
     
    130140
    131141  /* short string */
    132   tr_snprintf ((char*)buf, sizeof (buf), "3:boat");
    133   err = tr_bencParseStr (buf, buf + 6, &end, &str, &len);
     142  n = tr_snprintf ((char*)buf, sizeof (buf), "3:boat");
     143  err = tr_bencParseStr (buf, buf+n, &end, &str, &len);
    134144  check_int_eq (0, err);
    135145  check_int_eq (3, len);
Note: See TracChangeset for help on using the changeset viewer.