diff options
author | irungentoo <irungentoo@gmail.com> | 2015-03-23 16:56:56 -0400 |
---|---|---|
committer | irungentoo <irungentoo@gmail.com> | 2015-03-23 16:56:56 -0400 |
commit | 47d1c1db7eecd71e0d68ba9c8c4be9c25a079125 (patch) | |
tree | 5d7fe419915267565b6c38a6e0dd29b181769bb5 /toxcore | |
parent | 8aaddd729cafe09de9eb430f05a4522bcfd09b3a (diff) |
Added some more checks for file packets.
Diffstat (limited to 'toxcore')
-rw-r--r-- | toxcore/Messenger.c | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/toxcore/Messenger.c b/toxcore/Messenger.c index 265ff80b..57ec652c 100644 --- a/toxcore/Messenger.c +++ b/toxcore/Messenger.c | |||
@@ -2040,9 +2040,17 @@ static int handle_packet(void *object, int i, uint8_t *temp, uint16_t len) | |||
2040 | break; | 2040 | break; |
2041 | 2041 | ||
2042 | uint8_t filenumber = data[0]; | 2042 | uint8_t filenumber = data[0]; |
2043 | |||
2044 | if (filenumber >= MAX_CONCURRENT_FILE_PIPES) | ||
2045 | break; | ||
2046 | |||
2043 | uint64_t filesize; | 2047 | uint64_t filesize; |
2044 | uint32_t file_type; | 2048 | uint32_t file_type; |
2045 | uint16_t filename_length = data_length - head_length; | 2049 | uint16_t filename_length = data_length - head_length; |
2050 | |||
2051 | if (filename_length > MAX_FILENAME_LENGTH) | ||
2052 | break; | ||
2053 | |||
2046 | memcpy(&file_type, data + 1, sizeof(file_type)); | 2054 | memcpy(&file_type, data + 1, sizeof(file_type)); |
2047 | file_type = ntohl(file_type); | 2055 | file_type = ntohl(file_type); |
2048 | 2056 | ||
@@ -2088,6 +2096,9 @@ static int handle_packet(void *object, int i, uint8_t *temp, uint16_t len) | |||
2088 | uint8_t filenumber = data[1]; | 2096 | uint8_t filenumber = data[1]; |
2089 | uint8_t control_type = data[2]; | 2097 | uint8_t control_type = data[2]; |
2090 | 2098 | ||
2099 | if (filenumber >= MAX_CONCURRENT_FILE_PIPES) | ||
2100 | break; | ||
2101 | |||
2091 | if (handle_filecontrol(m, i, send_receive, filenumber, control_type, data + 3, data_length - 3) == -1) | 2102 | if (handle_filecontrol(m, i, send_receive, filenumber, control_type, data + 3, data_length - 3) == -1) |
2092 | break; | 2103 | break; |
2093 | 2104 | ||
@@ -2099,6 +2110,10 @@ static int handle_packet(void *object, int i, uint8_t *temp, uint16_t len) | |||
2099 | break; | 2110 | break; |
2100 | 2111 | ||
2101 | uint8_t filenumber = data[0]; | 2112 | uint8_t filenumber = data[0]; |
2113 | |||
2114 | if (filenumber >= MAX_CONCURRENT_FILE_PIPES) | ||
2115 | break; | ||
2116 | |||
2102 | struct File_Transfers *ft = &m->friendlist[i].file_receiving[filenumber]; | 2117 | struct File_Transfers *ft = &m->friendlist[i].file_receiving[filenumber]; |
2103 | 2118 | ||
2104 | if (ft->status != FILESTATUS_TRANSFERRING) | 2119 | if (ft->status != FILESTATUS_TRANSFERRING) |