← Back to team overview

linuxdcpp-team team mailing list archive

[Bug 901237] Re: Possible crash by remote client when downloading partial filelist

 

I can confirm that the current release (0.782) can be crashed using this
method.

** Changed in: dcplusplus
       Status: New => Confirmed

** Changed in: dcplusplus
   Importance: Undecided => Critical

-- 
You received this bug notification because you are a member of
Dcplusplus-team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/901237

Title:
  Possible crash by remote client when downloading partial filelist

Status in DC++:
  Confirmed

Bug description:
  This report is just about the bug we discussed in DCDev yesterday.

  * when client wants to download full/partial filelist, the list name is generated as <current_nick>.<CID>
  * when partial filelist is finished, it must be found in queue so it is deleted from there. However, the list name is generated again as <current_nick>.<CID>
  * if remote user's nick is changed before the list is finished, the item will not be found in the queue and stay there forever
  * problem is that object responsible for downloading (class Download) is deallocated correctly which result that non-deleted queue item holds info about invalid Download object.
  * when operation above this object is performed (e.g. item is deleted from queue later), it will end up with access violation

  Possible remote exploit:
  When partial list request is received, send BINF with new nick to hub, wait a second and then normally provide partial list to the client.

  Behaviour:
  Client requesting partial list will end up in infinite downloading of partial list.. Assertion in QueueManager::addDownload is hit on every request in debug build.
  When deleting the list from queue manually, it can crash. It does not crash always but I think it depends whether the "invalid" memory has already been reused or not.

  Possible solutions:
  a) generate filelist name as <CID> only (I guess on-the-fly CID change is not allowed)
  b) do not perform queue search by new generation of list name but use different method.

To manage notifications about this bug go to:
https://bugs.launchpad.net/dcplusplus/+bug/901237/+subscriptions


References