#5732: Fix possible overflow in messageLengthIsCorrect (partial patch by cfpp2p)

diff --git a/libtransmission/peer-msgs.c b/libtransmission/peer-msgs.c
index 36fe7313b8705895f96c7b83d25ba3219fd9689d..91ded4911c6c437b0f40427a13050f22405ba8e3 100644 (file)
--- a/libtransmission/peer-msgs.c
+++ b/libtransmission/peer-msgs.c
@@ -1386,7 +1386,7 @@ messageLengthIsCorrect (const tr_peerMsgs * msg, uint8_t id, uint32_t len)
 
         case BT_BITFIELD:
             if (tr_torrentHasMetadata (msg->torrent))
-                return len == (msg->torrent->info.pieceCount + 7u) / 8u + 1u;
+                return len == (msg->torrent->info.pieceCount >> 3) + (msg->torrent->info.pieceCount & 7 ? 1 : 0) + 1u;
             /* we don't know the piece count yet,
                so we can only guess whether to send true or false */
             if (msg->metadata_size_hint > 0)
@@ -1487,6 +1487,8 @@ readBtMessage (tr_peerMsgs * msgs, struct evbuffer * inbuf, size_t inlen)
 #endif
     const bool fext = tr_peerIoSupportsFEXT (msgs->io);
 
+    assert (msglen > 0);
+
     --msglen; /* id length */
 
     dbgmsg (msgs, "got BT id %d, len %d, buffer size is %"TR_PRIuSIZE, (int)id, (int)msglen, inlen);