Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#2965 closed Bug (fixed)

buffer overflow if too many tr= args in a magnet link

Reported by: pjz Owned by: charles
Priority: Normal Milestone: 1.92
Component: libtransmission Version: 1.91
Severity: Normal Keywords:
Cc:

Description

transmission-daemon will crash if you feed it > 64 tr= or ws= links in a single magnet link. The obvious patch is below:

Index: magnet.c
===================================================================
--- magnet.c    (revision 10278)
+++ magnet.c    (working copy)
@@ -151,10 +151,10 @@
             if( ( keylen==2 ) && !memcmp( key, "dn", 2 ) )
                 displayName = tr_http_unescape( val, vallen );
 
-            if( ( keylen==2 ) && !memcmp( key, "tr", 2 ) )
+            if( ( keylen==2 ) && !memcmp( key, "tr", 2 ) && trCount < MAX_TRACKERS )
                 tr[trCount++] = tr_http_unescape( val, vallen );
 
-            if( ( keylen==2 ) && !memcmp( key, "ws", 2 ) )
+            if( ( keylen==2 ) && !memcmp( key, "ws", 2 ) && wsCount < MAX_WEBSEEDS )
                 ws[wsCount++] = tr_http_unescape( val, vallen );
 
             walk = next != NULL ? next + 1 : NULL;

Change History (3)

comment:1 Changed 7 years ago by charles

  • Component changed from Transmission to libtransmission
  • Milestone changed from None Set to 1.92
  • Owner set to charles
  • Priority changed from High to Normal
  • Status changed from new to assigned

comment:2 Changed 7 years ago by charles

  • Resolution set to fixed
  • Status changed from assigned to closed

Fixed in trunk for 1.92 by r10279

Thanks!

comment:3 Changed 7 years ago by charles

  • Summary changed from buffer overflow if too man tr= args in a magnet link to buffer overflow if too many tr= args in a magnet link
Note: See TracTickets for help on using tickets.