Changeset 1535


Ignore:
Timestamp:
Mar 6, 2007, 12:49:35 AM (15 years ago)
Author:
joshe
Message:

Check all offsets and lengths received from the peer before using them.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/libtransmission/peerparse.h

    r1534 r1535  
    9191                             uint8_t * p, int len )
    9292{
     93    tr_info_t * inf = &tor->info;
    9394    uint32_t piece;
    9495
     
    100101
    101102    TR_NTOHL( p, piece );
     103    if( ( uint32_t )inf->pieceCount <= piece )
     104    {
     105        peer_dbg( "GET  have, invalid piece" );
     106        return TR_ERROR_ASSERT;
     107    }
    102108
    103109    peer_dbg( "GET  have %d", piece );
     
    105111    if( !peer->bitfield )
    106112    {
    107         peer->bitfield = tr_bitfieldNew( tor->info.pieceCount );
     113        peer->bitfield = tr_bitfieldNew( inf->pieceCount );
    108114    }
    109115    if( !tr_bitfieldHas( peer->bitfield, piece ) )
    110116    {
    111117        peer->pieceCount++;
    112         peer->progress = (float) peer->pieceCount / tor->info.pieceCount;
     118        peer->progress = (float) peer->pieceCount / inf->pieceCount;
    113119    }
    114120    tr_bitfieldAdd( peer->bitfield, piece );
     
    175181}
    176182
    177 static inline int parseRequest( tr_peer_t * peer, uint8_t * p, int len )
    178 {
     183static inline int parseRequest( tr_torrent_t * tor, tr_peer_t * peer,
     184                                uint8_t * p, int len )
     185{
     186    tr_info_t * inf = &tor->info;
    179187    int index, begin, length;
    180188    tr_request_t * r;
     
    197205    TR_NTOHL( &p[8], length );
    198206
     207    if( inf->pieceCount <= index )
     208    {
     209        peer_dbg( "GET  request, invalid index" );
     210        return TR_ERROR_ASSERT;
     211    }
     212    if( tr_pieceSize( index ) < begin + length )
     213    {
     214        peer_dbg( "GET  request, invalid begin/length" );
     215        return TR_ERROR_ASSERT;
     216    }
     217
    199218    peer_dbg( "GET  request %d/%d (%d bytes)",
    200219              index, begin, length );
     
    269288                              uint8_t * p, int len )
    270289{
     290    tr_info_t * inf = &tor->info;
    271291    int index, begin, block, i, ret;
     292
     293    if( 8 > len )
     294    {
     295        peer_dbg( "GET  piece, too short (8 > %i)", len );
     296        return TR_ERROR_ASSERT;
     297    }
    272298
    273299    TR_NTOHL( p,     index );
    274300    TR_NTOHL( &p[4], begin );
     301
     302    if( inf->pieceCount <= index )
     303    {
     304        peer_dbg( "GET  piece, invalid index" );
     305        return TR_ERROR_ASSERT;
     306    }
     307    if( tr_pieceSize( index ) < begin + len - 8 )
     308    {
     309        peer_dbg( "GET  piece, invalid begin/length" );
     310        return TR_ERROR_ASSERT;
     311    }
     312
    275313    block = tr_block( index, begin );
    276314
     
    296334    if( !peer->blamefield )
    297335    {
    298         peer->blamefield = tr_bitfieldNew( tor->info.pieceCount );
     336        peer->blamefield = tr_bitfieldNew( inf->pieceCount );
    299337    }
    300338    tr_bitfieldAdd( peer->blamefield, index );
     
    339377}
    340378
    341 static inline int parseCancel( tr_peer_t * peer, uint8_t * p, int len )
    342 {
     379static inline int parseCancel( tr_torrent_t * tor, tr_peer_t * peer,
     380                               uint8_t * p, int len )
     381{
     382    tr_info_t * inf = &tor->info;
    343383    int index, begin, length;
    344384    int i;
     
    354394    TR_NTOHL( &p[4], begin );
    355395    TR_NTOHL( &p[8], length );
     396
     397    if( inf->pieceCount <= index )
     398    {
     399        peer_dbg( "GET  cancel, invalid index" );
     400        return TR_ERROR_ASSERT;
     401    }
     402    if( tr_pieceSize( index ) < begin + length )
     403    {
     404        peer_dbg( "GET  cancel, invalid begin/length" );
     405        return TR_ERROR_ASSERT;
     406    }
    356407
    357408    peer_dbg( "GET  cancel %d/%d (%d bytes)",
     
    414465            return parseBitfield( tor, peer, p, len );
    415466        case PEER_MSG_REQUEST:
    416             return parseRequest( peer, p, len );
     467            return parseRequest( tor, peer, p, len );
    417468        case PEER_MSG_PIECE:
    418469            return parsePiece( tor, peer, p, len );
    419470        case PEER_MSG_CANCEL:
    420             return parseCancel( peer, p, len );
     471            return parseCancel( tor, peer, p, len );
    421472        case PEER_MSG_PORT:
    422473            return parsePort( peer, p, len );
Note: See TracChangeset for help on using the changeset viewer.