diff options
| author | Robert Adam <dev@robert-adam.de> | 2020-08-02 18:14:51 +0300 |
|---|---|---|
| committer | Robert Adam <dev@robert-adam.de> | 2020-08-02 18:14:51 +0300 |
| commit | 28c3a62acff20efdf4cee462c4daff3bae70e494 (patch) | |
| tree | 90bfdffe7c4d75c5be24bcac1c6ab83bf7cbf339 /src/murmur/Server.cpp | |
| parent | dbb486e5ab91fcb34eed32940967aa38319b6e90 (diff) | |
FIX(server): Don't allow poslen > len
This case can crash the server as the calculated buffer length without
positional data (which is the normal case) is negative (len - poslen).
Diffstat (limited to 'src/murmur/Server.cpp')
| -rw-r--r-- | src/murmur/Server.cpp | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/src/murmur/Server.cpp b/src/murmur/Server.cpp index 530e02354..4d97c92cf 100644 --- a/src/murmur/Server.cpp +++ b/src/murmur/Server.cpp @@ -1110,6 +1110,14 @@ void Server::processMsg(ServerUser *u, const char *data, int len) { len = pds.size() + 1; + if (poslen > static_cast<unsigned int>(len)) { + // poslen must never ever be bigger than len as this could lead to negative buffer sizes (len - poslen) being + // used when further processing the packet. + // Usually this shouldn't happen in the first place but can happen with malformed/malicious packets in certain + // cases. + poslen = 0; + } + /// A set of users that'll receive the audio buffer because they are listening /// to a channel that received that audio. QSet<ServerUser *> listeningUsers; |