diff options
| author | irungentoo <irungentoo@gmail.com> | 2015-03-23 16:56:56 -0400 |
|---|---|---|
| committer | irungentoo <irungentoo@gmail.com> | 2015-03-23 16:56:56 -0400 |
| commit | 47d1c1db7eecd71e0d68ba9c8c4be9c25a079125 (patch) | |
| tree | 5d7fe419915267565b6c38a6e0dd29b181769bb5 /toxcore | |
| parent | 8aaddd729cafe09de9eb430f05a4522bcfd09b3a (diff) | |
Added some more checks for file packets.
Diffstat (limited to 'toxcore')
| -rw-r--r-- | toxcore/Messenger.c | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/toxcore/Messenger.c b/toxcore/Messenger.c index 265ff80b..57ec652c 100644 --- a/toxcore/Messenger.c +++ b/toxcore/Messenger.c | |||
| @@ -2040,9 +2040,17 @@ static int handle_packet(void *object, int i, uint8_t *temp, uint16_t len) | |||
| 2040 | break; | 2040 | break; |
| 2041 | 2041 | ||
| 2042 | uint8_t filenumber = data[0]; | 2042 | uint8_t filenumber = data[0]; |
| 2043 | |||
| 2044 | if (filenumber >= MAX_CONCURRENT_FILE_PIPES) | ||
| 2045 | break; | ||
| 2046 | |||
| 2043 | uint64_t filesize; | 2047 | uint64_t filesize; |
| 2044 | uint32_t file_type; | 2048 | uint32_t file_type; |
| 2045 | uint16_t filename_length = data_length - head_length; | 2049 | uint16_t filename_length = data_length - head_length; |
| 2050 | |||
| 2051 | if (filename_length > MAX_FILENAME_LENGTH) | ||
| 2052 | break; | ||
| 2053 | |||
| 2046 | memcpy(&file_type, data + 1, sizeof(file_type)); | 2054 | memcpy(&file_type, data + 1, sizeof(file_type)); |
| 2047 | file_type = ntohl(file_type); | 2055 | file_type = ntohl(file_type); |
| 2048 | 2056 | ||
| @@ -2088,6 +2096,9 @@ static int handle_packet(void *object, int i, uint8_t *temp, uint16_t len) | |||
| 2088 | uint8_t filenumber = data[1]; | 2096 | uint8_t filenumber = data[1]; |
| 2089 | uint8_t control_type = data[2]; | 2097 | uint8_t control_type = data[2]; |
| 2090 | 2098 | ||
| 2099 | if (filenumber >= MAX_CONCURRENT_FILE_PIPES) | ||
| 2100 | break; | ||
| 2101 | |||
| 2091 | if (handle_filecontrol(m, i, send_receive, filenumber, control_type, data + 3, data_length - 3) == -1) | 2102 | if (handle_filecontrol(m, i, send_receive, filenumber, control_type, data + 3, data_length - 3) == -1) |
| 2092 | break; | 2103 | break; |
| 2093 | 2104 | ||
| @@ -2099,6 +2110,10 @@ static int handle_packet(void *object, int i, uint8_t *temp, uint16_t len) | |||
| 2099 | break; | 2110 | break; |
| 2100 | 2111 | ||
| 2101 | uint8_t filenumber = data[0]; | 2112 | uint8_t filenumber = data[0]; |
| 2113 | |||
| 2114 | if (filenumber >= MAX_CONCURRENT_FILE_PIPES) | ||
| 2115 | break; | ||
| 2116 | |||
| 2102 | struct File_Transfers *ft = &m->friendlist[i].file_receiving[filenumber]; | 2117 | struct File_Transfers *ft = &m->friendlist[i].file_receiving[filenumber]; |
| 2103 | 2118 | ||
| 2104 | if (ft->status != FILESTATUS_TRANSFERRING) | 2119 | if (ft->status != FILESTATUS_TRANSFERRING) |