#2965 closed Bug (fixed)
buffer overflow if too many tr= args in a magnet link
Reported by: | pjz | Owned by: | charles |
---|---|---|---|
Priority: | Normal | Milestone: | 1.92 |
Component: | libtransmission | Version: | 1.91 |
Severity: | Normal | Keywords: | |
Cc: |
Description
transmission-daemon will crash if you feed it > 64 tr= or ws= links in a single magnet link. The obvious patch is below:
Index: magnet.c =================================================================== --- magnet.c (revision 10278) +++ magnet.c (working copy) @@ -151,10 +151,10 @@ if( ( keylen==2 ) && !memcmp( key, "dn", 2 ) ) displayName = tr_http_unescape( val, vallen ); - if( ( keylen==2 ) && !memcmp( key, "tr", 2 ) ) + if( ( keylen==2 ) && !memcmp( key, "tr", 2 ) && trCount < MAX_TRACKERS ) tr[trCount++] = tr_http_unescape( val, vallen ); - if( ( keylen==2 ) && !memcmp( key, "ws", 2 ) ) + if( ( keylen==2 ) && !memcmp( key, "ws", 2 ) && wsCount < MAX_WEBSEEDS ) ws[wsCount++] = tr_http_unescape( val, vallen ); walk = next != NULL ? next + 1 : NULL;
Change History (3)
comment:1 Changed 13 years ago by charles
- Component changed from Transmission to libtransmission
- Milestone changed from None Set to 1.92
- Owner set to charles
- Priority changed from High to Normal
- Status changed from new to assigned
comment:2 Changed 13 years ago by charles
- Resolution set to fixed
- Status changed from assigned to closed
comment:3 Changed 13 years ago by charles
- Summary changed from buffer overflow if too man tr= args in a magnet link to buffer overflow if too many tr= args in a magnet link
Note: See
TracTickets for help on using
tickets.
Fixed in trunk for 1.92 by r10279
Thanks!