From ebde86234116d9055125f7da66c394910b13bef3 Mon Sep 17 00:00:00 2001 From: Arvid Norberg Date: Mon, 28 Jan 2008 02:58:17 +0000 Subject: [PATCH] capped the allowed depth in bencoded messages, to avoid triggering stack overflows by malformed messages --- include/libtorrent/bencode.hpp | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/include/libtorrent/bencode.hpp b/include/libtorrent/bencode.hpp index becf4d528..bd77aa104 100755 --- a/include/libtorrent/bencode.hpp +++ b/include/libtorrent/bencode.hpp @@ -229,8 +229,14 @@ namespace libtorrent } template - void bdecode_recursive(InIt& in, InIt end, entry& ret, bool& err) + void bdecode_recursive(InIt& in, InIt end, entry& ret, bool& err, int depth) { + if (depth >= 100) + { + err = true; + return; + } + if (in == end) { err = true; @@ -268,7 +274,7 @@ namespace libtorrent { ret.list().push_back(entry()); entry& e = ret.list().back(); - bdecode_recursive(in, end, e, err); + bdecode_recursive(in, end, e, err, depth + 1); if (err) { #ifndef NDEBUG @@ -301,7 +307,7 @@ namespace libtorrent while (*in != 'e') { entry key; - bdecode_recursive(in, end, key, err); + bdecode_recursive(in, end, key, err, depth + 1); if (err || key.type() != entry::string_t) { #ifndef NDEBUG @@ -310,7 +316,7 @@ namespace libtorrent return; } entry& e = ret[key.string()]; - bdecode_recursive(in, end, e, err); + bdecode_recursive(in, end, e, err, depth + 1); if (err) { #ifndef NDEBUG @@ -386,7 +392,7 @@ namespace libtorrent { entry e; bool err = false; - detail::bdecode_recursive(start, end, e, err); + detail::bdecode_recursive(start, end, e, err, 0); TORRENT_ASSERT(e.m_type_queried == false); if (err) { @@ -405,7 +411,7 @@ namespace libtorrent entry e; bool err = false; InIt s = start; - detail::bdecode_recursive(start, end, e, err); + detail::bdecode_recursive(start, end, e, err, 0); len = std::distance(s, start); TORRENT_ASSERT(len >= 0); if (err)