Fix incorrect overflow handling in the DHT's parser.

2011-01-10 01:58:13 +00:00 · 2011-01-10 01:58:13 +00:00 · 429754cfb5
parent 62cb43a173
commit 429754cfb5
2 changed files with 6 additions and 3 deletions
--- a/third-party/dht/CHANGES
+++ b/third-party/dht/CHANGES
@ -1,3 +1,8 @@
+dht-0.18 (unreleased)
+
+  * Fix a bug that could cause parse_message to enter an infinite loop
+    on overflow.
+
 9 January 2011: dht-0.17:

  * Fix a bug that prevented calling dht_init after dht_uninit.
--- a/third-party/dht/dht.c
+++ b/third-party/dht/dht.c
@ -2825,21 +2825,19 @@ parse_message(const unsigned char *buf, int buflen,
                l = strtol((char*)buf + i, &q, 10);
                if(q && *q == ':' && l > 0) {
                    CHECK(q + 1, l);
+                    i = q + 1 + l - (char*)buf;
                    if(l == 6) {
                        if(j + l > *values_len)
                            continue;
-                        i = q + 1 + l - (char*)buf;
                        memcpy((char*)values_return + j, q + 1, l);
                        j += l;
                    } else if(l == 18) {
                        if(j6 + l > *values6_len)
                            continue;
-                        i = q + 1 + l - (char*)buf;
                        memcpy((char*)values6_return + j6, q + 1, l);
                        j6 += l;
                    } else {
                        debugf("Received weird value -- %d bytes.\n", (int)l);
-                        i = q + 1 + l - (char*)buf;
                    }
                } else {
                    break;