Opened 13 years ago

Closed 13 years ago

Last modified 13 years ago

#1168 closed Bug (fixed)

reading past the end of allocated memory in KTorrent pex

Reported by: charles Owned by: charles
Priority: Normal Milestone: 1.33
Component: libtransmission Version: 1.32
Severity: Normal Keywords:
Cc:

Description

It appears that KTorrent, at least versions 2.2.5 and 2.2.7, send a zero-length string as the added.f field during pex.

Rather than testing this length, libtransmission has been assuming that the added.f string's byte length is the same as the peer count included in the pex message.

libtransmission needs to loop on the peer count, but also test the added.f length before accessing it.

This error was first reported by valgrind. :)

Change History (4)

comment:1 Changed 13 years ago by charles

  • Status changed from new to assigned

Fixed in r6468

comment:2 Changed 13 years ago by charles

  • Resolution set to fixed
  • Status changed from assigned to closed

comment:3 Changed 13 years ago by charles

1.3x: r6469

comment:4 Changed 13 years ago by charles

  • Summary changed from reading past the end of an added.f string in pex to reading past the end of allocated memory in KTorrent pex
Note: See TracTickets for help on using tickets.