#2965 closed Bug (fixed)
buffer overflow if too many tr= args in a magnet link
| Reported by: | pjz | Owned by: | charles |
|---|---|---|---|
| Priority: | Normal | Milestone: | 1.92 |
| Component: | libtransmission | Version: | 1.91 |
| Severity: | Normal | Keywords: | |
| Cc: |
Description
transmission-daemon will crash if you feed it > 64 tr= or ws= links in a single magnet link. The obvious patch is below:
Index: magnet.c
===================================================================
--- magnet.c (revision 10278)
+++ magnet.c (working copy)
@@ -151,10 +151,10 @@
if( ( keylen==2 ) && !memcmp( key, "dn", 2 ) )
displayName = tr_http_unescape( val, vallen );
- if( ( keylen==2 ) && !memcmp( key, "tr", 2 ) )
+ if( ( keylen==2 ) && !memcmp( key, "tr", 2 ) && trCount < MAX_TRACKERS )
tr[trCount++] = tr_http_unescape( val, vallen );
- if( ( keylen==2 ) && !memcmp( key, "ws", 2 ) )
+ if( ( keylen==2 ) && !memcmp( key, "ws", 2 ) && wsCount < MAX_WEBSEEDS )
ws[wsCount++] = tr_http_unescape( val, vallen );
walk = next != NULL ? next + 1 : NULL;
Change History (3)
comment:1 Changed 8 years ago by charles
- Component changed from Transmission to libtransmission
- Milestone changed from None Set to 1.92
- Owner set to charles
- Priority changed from High to Normal
- Status changed from new to assigned
comment:2 Changed 8 years ago by charles
- Resolution set to fixed
- Status changed from assigned to closed
comment:3 Changed 8 years ago by charles
- Summary changed from buffer overflow if too man tr= args in a magnet link to buffer overflow if too many tr= args in a magnet link
Note: See
TracTickets for help on using
tickets.
Fixed in trunk for 1.92 by r10279
Thanks!