From 2ab17b7a5121a78537ddd8272d084646f7ce2ed6 Mon Sep 17 00:00:00 2001 From: Arvid Norberg Date: Thu, 28 Apr 2011 08:55:27 +0000 Subject: [PATCH] handle incoming invalid piece messages sizes --- src/bt_peer_connection.cpp | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/src/bt_peer_connection.cpp b/src/bt_peer_connection.cpp index 74db6d37a..d955f0961 100644 --- a/src/bt_peer_connection.cpp +++ b/src/bt_peer_connection.cpp @@ -1155,6 +1155,12 @@ namespace libtorrent return; } + if (packet_size() - 13 - list_size > t->block_size()) + { + disconnect(errors::packet_too_large, 2); + return; + } + TORRENT_ASSERT(!has_disk_receive_buffer()); if (!allocate_disk_receive_buffer(packet_size() - 13 - list_size)) { @@ -1168,6 +1174,13 @@ namespace libtorrent if (recv_pos == 1) { TORRENT_ASSERT(!has_disk_receive_buffer()); + + if (packet_size() - 9 > t->block_size()) + { + disconnect(errors::packet_too_large, 2); + return; + } + if (!allocate_disk_receive_buffer(packet_size() - 9)) { m_statistics.received_bytes(0, received);