Opened 3 years ago

Last modified 3 years ago

#6160 new Bug

Invalid requests for magnet metadata pieces

Reported by: cfpp2p Owned by: jordan
Priority: Normal Milestone: None Set
Component: libtransmission Version: 2.92
Severity: Normal Keywords:
Cc:

Description

When receiving requests for magnet metadata pieces, requested pieces should be validated. Invalid pieces, outside the bounds of infoDictLength, can be added to the queue. This allows for a buggy or malicious client requests to fill the metadata request queue with invalid requests. Such Invalid requests are not rejected until after tr_sys_file_seek() already beyond EOF in torrent-magnet.c tr_torrentGetMetadataPiece().

patch to fix:

  • peer-msgs.c

    old new  
    11281128    if (msg_type == METADATA_MSG_TYPE_REQUEST)
    11291129    {
    11301130        if ((piece >= 0)
     1131            && (piece < ((msgs->torrent->infoDictLength + (METADATA_PIECE_SIZE - 1)) / METADATA_PIECE_SIZE))
    11311132            && tr_torrentHasMetadata (msgs->torrent)
    11321133            && !tr_torrentIsPrivate (msgs->torrent)
    11331134            && (msgs->peerAskedForMetadataCount < METADATA_REQQ))

Change History (1)

comment:1 Changed 3 years ago by cfpp2p

  • Component changed from Transmission to libtransmission
  • Owner set to jordan
Note: See TracTickets for help on using tickets.