capped the allowed depth in bencoded messages, to avoid triggering stack overflows by malformed messages

This commit is contained in:
Arvid Norberg 2008-01-28 02:58:17 +00:00
parent 61bbc6e58f
commit ebde862341
1 changed files with 12 additions and 6 deletions

View File

@ -229,8 +229,14 @@ namespace libtorrent
}
template<class InIt>
void bdecode_recursive(InIt& in, InIt end, entry& ret, bool& err)
void bdecode_recursive(InIt& in, InIt end, entry& ret, bool& err, int depth)
{
if (depth >= 100)
{
err = true;
return;
}
if (in == end)
{
err = true;
@ -268,7 +274,7 @@ namespace libtorrent
{
ret.list().push_back(entry());
entry& e = ret.list().back();
bdecode_recursive(in, end, e, err);
bdecode_recursive(in, end, e, err, depth + 1);
if (err)
{
#ifndef NDEBUG
@ -301,7 +307,7 @@ namespace libtorrent
while (*in != 'e')
{
entry key;
bdecode_recursive(in, end, key, err);
bdecode_recursive(in, end, key, err, depth + 1);
if (err || key.type() != entry::string_t)
{
#ifndef NDEBUG
@ -310,7 +316,7 @@ namespace libtorrent
return;
}
entry& e = ret[key.string()];
bdecode_recursive(in, end, e, err);
bdecode_recursive(in, end, e, err, depth + 1);
if (err)
{
#ifndef NDEBUG
@ -386,7 +392,7 @@ namespace libtorrent
{
entry e;
bool err = false;
detail::bdecode_recursive(start, end, e, err);
detail::bdecode_recursive(start, end, e, err, 0);
TORRENT_ASSERT(e.m_type_queried == false);
if (err)
{
@ -405,7 +411,7 @@ namespace libtorrent
entry e;
bool err = false;
InIt s = start;
detail::bdecode_recursive(start, end, e, err);
detail::bdecode_recursive(start, end, e, err, 0);
len = std::distance(s, start);
TORRENT_ASSERT(len >= 0);
if (err)