Opened 15 years ago

Closed 15 years ago

Last modified 15 years ago

#2965 closed Bug (fixed)

buffer overflow if too many tr= args in a magnet link

Reported by: pjz Owned by: charles
Priority: Normal Milestone: 1.92
Component: libtransmission Version: 1.91
Severity: Normal Keywords:
Cc:

Description

transmission-daemon will crash if you feed it > 64 tr= or ws= links in a single magnet link. The obvious patch is below:

Index: magnet.c
===================================================================
--- magnet.c    (revision 10278)
+++ magnet.c    (working copy)
@@ -151,10 +151,10 @@
             if( ( keylen==2 ) && !memcmp( key, "dn", 2 ) )
                 displayName = tr_http_unescape( val, vallen );
 
-            if( ( keylen==2 ) && !memcmp( key, "tr", 2 ) )
+            if( ( keylen==2 ) && !memcmp( key, "tr", 2 ) && trCount < MAX_TRACKERS )
                 tr[trCount++] = tr_http_unescape( val, vallen );
 
-            if( ( keylen==2 ) && !memcmp( key, "ws", 2 ) )
+            if( ( keylen==2 ) && !memcmp( key, "ws", 2 ) && wsCount < MAX_WEBSEEDS )
                 ws[wsCount++] = tr_http_unescape( val, vallen );
 
             walk = next != NULL ? next + 1 : NULL;

Change History (3)

comment:1 by charles, 15 years ago

Component: Transmissionlibtransmission
Milestone: None Set1.92
Owner: set to charles
Priority: HighNormal
Status: newassigned

comment:2 by charles, 15 years ago

Resolution: fixed
Status: assignedclosed

Fixed in trunk for 1.92 by r10279

Thanks!

comment:3 by charles, 15 years ago

Summary: buffer overflow if too man tr= args in a magnet linkbuffer overflow if too many tr= args in a magnet link
Note: See TracTickets for help on using tickets.