mirror/transmission
1
0
Fork 0
mirror of https://github.com/transmission/transmission synced 2025-02-22 14:10:34 +00:00
Code Issues Releases Wiki Activity

#5732: Fix possible overflow in messageLengthIsCorrect (partial patch by cfpp2p)

Browse source
This commit is contained in:
Mike Gelfand 2015-10-05 01:21:47 +00:00
parent 1fd7c46bfa
commit fcbc2915eb
1 changed files with 3 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
libtransmission/peer-msgs.c
View file

@ -1386,7 +1386,7 @@ messageLengthIsCorrect (const tr_peerMsgs * msg, uint8_t id, uint32_t len)
case BT_BITFIELD:
if (tr_torrentHasMetadata (msg->torrent))
return len == (msg->torrent->info.pieceCount + 7u) / 8u + 1u;
return len == (msg->torrent->info.pieceCount >> 3) + (msg->torrent->info.pieceCount & 7 ? 1 : 0) + 1u;
/* we don't know the piece count yet,
so we can only guess whether to send true or false */
if (msg->metadata_size_hint > 0)
@ -1487,6 +1487,8 @@ readBtMessage (tr_peerMsgs * msgs, struct evbuffer * inbuf, size_t inlen)
#endif
const bool fext = tr_peerIoSupportsFEXT (msgs->io);
assert (msglen > 0);
--msglen; /* id length */
dbgmsg (msgs, "got BT id %d, len %d, buffer size is %"TR_PRIuSIZE, (int)id, (int)msglen, inlen);