From: Juliusz Chroboczek <jch@pps.univ-paris-diderot.fr>
Date: Mon, 10 Jan 2011 01:58:13 +0000 (+0000)
Subject: Fix incorrect overflow handling in the DHT's parser.
X-Git-Tag: 2.20b1~65
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=429754cfb59d7b597f37e3aaf9bf06ddffb76407;p=transmission

Fix incorrect overflow handling in the DHT's parser.
---

diff --git a/third-party/dht/CHANGES b/third-party/dht/CHANGES
index 451ef78bc..aa2eae24a 100644
--- a/third-party/dht/CHANGES
+++ b/third-party/dht/CHANGES
@@ -1,3 +1,8 @@
+dht-0.18 (unreleased)
+
+  * Fix a bug that could cause parse_message to enter an infinite loop
+    on overflow.
+
 9 January 2011: dht-0.17:
 
   * Fix a bug that prevented calling dht_init after dht_uninit.
diff --git a/third-party/dht/dht.c b/third-party/dht/dht.c
index abb21d336..faa57269f 100644
--- a/third-party/dht/dht.c
+++ b/third-party/dht/dht.c
@@ -2825,21 +2825,19 @@ parse_message(const unsigned char *buf, int buflen,
                 l = strtol((char*)buf + i, &q, 10);
                 if(q && *q == ':' && l > 0) {
                     CHECK(q + 1, l);
+                    i = q + 1 + l - (char*)buf;
                     if(l == 6) {
                         if(j + l > *values_len)
                             continue;
-                        i = q + 1 + l - (char*)buf;
                         memcpy((char*)values_return + j, q + 1, l);
                         j += l;
                     } else if(l == 18) {
                         if(j6 + l > *values6_len)
                             continue;
-                        i = q + 1 + l - (char*)buf;
                         memcpy((char*)values6_return + j6, q + 1, l);
                         j6 += l;
                     } else {
                         debugf("Received weird value -- %d bytes.\n", (int)l);
-                        i = q + 1 + l - (char*)buf;
                     }
                 } else {
                     break;