Date: Sat, 10 Feb 2018 21:52:45 +0000 (UTC) From: "Danilo G. Baio" <dbaio@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r461437 - in head/net-p2p/libtorrent: . files Message-ID: <201802102152.w1ALqjT8054892@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dbaio Date: Sat Feb 10 21:52:45 2018 New Revision: 461437 URL: https://svnweb.freebsd.org/changeset/ports/461437 Log: net-p2p/libtorrent: Fix remote DoS Calls into build_benocde that use %zu could crash on 64 bit machines due to the size change of size_t. Someone can force READ_ENC_IA to fail allowing an internal_error to be thrown and bring down the client, throw handshake_error instead. PR: 224664 Submitted by: Henry David Bartholomew <PopularMoment@protonmail.com> Approved by: maintainer timeout (pipfstarrd@openmailbox.org, > 2 weeks) MFH: 2018Q1 Security: e4dd787e-0ea9-11e8-95f2-005056925db4 Added: head/net-p2p/libtorrent/files/patch-fix-build-bencoders-callers-crash (contents, props changed) Modified: head/net-p2p/libtorrent/Makefile head/net-p2p/libtorrent/distinfo Modified: head/net-p2p/libtorrent/Makefile ============================================================================== --- head/net-p2p/libtorrent/Makefile Sat Feb 10 21:45:06 2018 (r461436) +++ head/net-p2p/libtorrent/Makefile Sat Feb 10 21:52:45 2018 (r461437) @@ -2,7 +2,7 @@ PORTNAME= libtorrent PORTVERSION= 0.13.6 -PORTREVISION= 4 +PORTREVISION= 5 CATEGORIES= net-p2p MASTER_SITES= http://rtorrent.net/downloads/ Modified: head/net-p2p/libtorrent/distinfo ============================================================================== --- head/net-p2p/libtorrent/distinfo Sat Feb 10 21:45:06 2018 (r461436) +++ head/net-p2p/libtorrent/distinfo Sat Feb 10 21:52:45 2018 (r461437) @@ -1,2 +1,3 @@ +TIMESTAMP = 1518295243 SHA256 (libtorrent-0.13.6.tar.gz) = 2838a08c96edfd936aff8fbf99ecbb930c2bfca3337dd1482eb5fccdb80d5a04 SIZE (libtorrent-0.13.6.tar.gz) = 781253 Added: head/net-p2p/libtorrent/files/patch-fix-build-bencoders-callers-crash ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/net-p2p/libtorrent/files/patch-fix-build-bencoders-callers-crash Sat Feb 10 21:52:45 2018 (r461437) @@ -0,0 +1,45 @@ +# https://github.com/rakshasa/libtorrent/pull/99/files + +--- src/protocol/extensions.cc.orig 2015-08-08 17:01:32.000000000 +0200 ++++ src/protocol/extensions.cc 2017-12-02 01:46:38.522736000 +0100 +@@ -394,7 +394,7 @@ + if (m_download->info()->is_meta_download() || piece >= pieceEnd) { + // reject: { "msg_type" => 2, "piece" => ... } + m_pendingType = UT_METADATA; +- m_pending = build_bencode(40, "d8:msg_typei2e5:piecei%zuee", piece); ++ m_pending = build_bencode(sizeof(size_t) + 36, "d8:msg_typei2e5:piecei%zuee", piece); + return; + } + +@@ -407,7 +407,7 @@ + // data: { "msg_type" => 1, "piece" => ..., "total_size" => ... } followed by piece data (outside of dictionary) + size_t length = piece == pieceEnd - 1 ? m_download->info()->metadata_size() % metadata_piece_size : metadata_piece_size; + m_pendingType = UT_METADATA; +- m_pending = build_bencode(length + 128, "d8:msg_typei1e5:piecei%zue10:total_sizei%zuee", piece, metadataSize); ++ m_pending = build_bencode((2 * sizeof(size_t)) + length + 120, "d8:msg_typei1e5:piecei%zue10:total_sizei%zuee", piece, metadataSize); + + memcpy(m_pending.end(), buffer + (piece << metadata_piece_shift), length); + m_pending.set(m_pending.data(), m_pending.end() + length, m_pending.owned()); +--- src/protocol/handshake.cc.orig 2015-08-08 17:01:49.000000000 +0200 ++++ src/protocol/handshake.cc 2017-12-02 01:46:38.523093000 +0100 +@@ -738,7 +738,7 @@ + break; + + if (m_readBuffer.remaining() > m_encryption.length_ia()) +- throw internal_error("Read past initial payload after incoming encrypted handshake."); ++ throw handshake_error(ConnectionManager::handshake_failed, e_handshake_invalid_value); + + if (m_encryption.crypto() != HandshakeEncryption::crypto_rc4) + m_encryption.info()->set_obfuscated(); +--- src/torrent/object_stream.cc.orig 2015-08-08 17:01:32.000000000 +0200 ++++ src/torrent/object_stream.cc 2017-12-02 01:46:38.523350000 +0100 +@@ -104,7 +104,8 @@ + while (first != last && *first >= '0' && *first <= '9') + length = length * 10 + (*first++ - '0'); + +- if (length + 1 > (unsigned int)std::distance(first, last) || *first++ != ':') ++ if (length + 1 > (unsigned int)std::distance(first, last) || *first++ != ':' ++ || length + 1 == 0) + throw torrent::bencode_error("Invalid bencode data."); + + return raw_string(first, length);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201802102152.w1ALqjT8054892>