buffer overflow if too many tr= args in a magnet link
transmission-daemon will crash if you feed it > 64 tr= or ws= links in a single magnet link. The obvious patch is below:
Index: magnet.c
===================================================================
--- magnet.c (revision 10278)
+++ magnet.c (working copy)
@@ -151,10 +151,10 @@
if( ( keylen==2 ) && !memcmp( key, "dn", 2 ) )
displayName = tr_http_unescape( val, vallen );
- if( ( keylen==2 ) && !memcmp( key, "tr", 2 ) )
+ if( ( keylen==2 ) && !memcmp( key, "tr", 2 ) && trCount < MAX_TRACKERS )
tr[trCount++] = tr_http_unescape( val, vallen );
- if( ( keylen==2 ) && !memcmp( key, "ws", 2 ) )
+ if( ( keylen==2 ) && !memcmp( key, "ws", 2 ) && wsCount < MAX_WEBSEEDS )
ws[wsCount++] = tr_http_unescape( val, vallen );
walk = next != NULL ? next + 1 : NULL;
Change History
(3)
| Component: |
Transmission → libtransmission
|
| Milestone: |
None Set → 1.92
|
| Owner: |
set to charles
|
| Priority: |
High → Normal
|
| Status: |
new → assigned
|
| Resolution: |
→ fixed
|
| Status: |
assigned → closed
|
| Summary: |
buffer overflow if too man tr= args in a magnet link → buffer overflow if too many tr= args in a magnet link
|
Fixed in trunk for 1.92 by r10279
Thanks!