Changeset 14302 for branches


Ignore:
Timestamp:
Jun 29, 2014, 1:42:38 AM (7 years ago)
Author:
jordan
Message:

Fix peer communication vulnerability (no known exploits) reported by Ben Hawkes

Location:
branches/2.8x
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • branches/2.8x/NEWS

    r14278 r14302  
     1=== Transmission 2.83 (2014/xx/yy) ===
     2[http://trac.transmissionbt.com/query?milestone=2.84&group=component&order=severity All tickets closed by this release]
     3==== All Platforms ====
     4  * Fix peer communication vulnerability (no known exploits) reported by Ben Hawkes
     5
    16=== Transmission 2.83 (2014/05/18) ===
    27[http://trac.transmissionbt.com/query?milestone=2.83&group=component&order=severity All tickets closed by this release]
  • branches/2.8x/libtransmission/bitfield.c

    r14241 r14302  
    168168get_bytes_needed (size_t bit_count)
    169169{
    170   return (bit_count + 7u) / 8u;
     170  return (bit_count >> 3) + (bit_count & 7 ? 1 : 0);
    171171}
    172172
     
    229229}
    230230
    231 static void
     231static bool
    232232tr_bitfieldEnsureNthBitAlloced (tr_bitfield * b, size_t nth)
    233233{
    234234  /* count is zero-based, so we need to allocate nth+1 bits before setting the nth */
     235
     236  if (nth == SIZE_MAX)
     237    return false;
     238
    235239  tr_bitfieldEnsureBitsAlloced (b, nth + 1);
     240  return true;
    236241}
    237242
     
    366371tr_bitfieldAdd (tr_bitfield * b, size_t nth)
    367372{
    368   if (!tr_bitfieldHas (b, nth))
    369     {
    370       tr_bitfieldEnsureNthBitAlloced (b, nth);
     373  if (!tr_bitfieldHas (b, nth) && tr_bitfieldEnsureNthBitAlloced (b, nth))
     374    {
    371375      b->bits[nth >> 3u] |= (0x80 >> (nth & 7u));
    372376      tr_bitfieldIncTrueCount (b, 1);
     
    394398  em = 0xff << (7 - (end & 7));
    395399
    396   tr_bitfieldEnsureNthBitAlloced (b, end);
     400  if (!tr_bitfieldEnsureNthBitAlloced (b, end))
     401    return;
     402
    397403  if (sb == eb)
    398404    {
     
    415421  assert (tr_bitfieldIsValid (b));
    416422
    417   if (!tr_bitfieldHas (b, nth))
    418     {
    419       tr_bitfieldEnsureNthBitAlloced (b, nth);
     423  if (!tr_bitfieldHas (b, nth) && tr_bitfieldEnsureNthBitAlloced (b, nth))
     424    {
    420425      b->bits[nth >> 3u] &= (0xff7f >> (nth & 7u));
    421426      tr_bitfieldIncTrueCount (b, -1);
     
    444449  em = ~ (0xff << (7 - (end & 7)));
    445450
    446   tr_bitfieldEnsureNthBitAlloced (b, end);
     451  if (!tr_bitfieldEnsureNthBitAlloced (b, end))
     452    return;
     453
    447454  if (sb == eb)
    448455    {
  • branches/2.8x/libtransmission/peer-msgs.c

    r14266 r14302  
    3333#include "variant.h"
    3434#include "version.h"
     35
     36#ifndef EBADMSG
     37 #define EBADMSG EINVAL
     38#endif
    3539
    3640/**
     
    16931697    assert (msgs);
    16941698    assert (req);
     1699
     1700    if (!requestIsValid (msgs, req)) {
     1701        dbgmsg (msgs, "dropping invalid block %u:%u->%u",
     1702                req->index, req->offset, req->length);
     1703        return EBADMSG;
     1704    }
    16951705
    16961706    if (req->length != tr_torBlockCountBytes (msgs->torrent, block)) {
Note: See TracChangeset for help on using the changeset viewer.