Possible security issue… #12
Comments
|
How would that cause a buffer overflow exactly? |
|
It can only really cause invalid re-encoded bencodes. |
Closed
anthonyryan1
pushed a commit
to anthonyryan1/libtorrent
that referenced
this issue
Oct 29, 2016
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Libtorrent allows an arbitrary number of leading zeros on bytestrings in Bencode decoding; I can see some potential for buffer overflow here. I.e., via a malicious tracker, peer, or Metainfo file.
Bytestrings should not have leading zeros ever because you'll never have a 0 length bytestring (although the Bittorrent 'spec' allows you to express something like i0e which is meaningless.
To recap:
d0000000000000000000000000000000000000000000000000000000000000000000000005:hello000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005:helloe
shouldn't be accepted. Modify a .torrent file and you'll see this works...
The text was updated successfully, but these errors were encountered: