Bug#700234: transmission-daemon: Transmission can be made to crash remotely

Sun, 10 Feb 2013 03:18:16 -0800 

Package: transmission-daemon
Version: 2.52-3
Severity: grave
Tags: security patch upstream
Justification: user security hole

The transmission-daemon package in wheezy crashes regularly. According 
to upstream this is a remote security hole (at least a remote DoS, but 
most probably there is a way to take control of the process).

https://trac.transmissionbt.com/ticket/5044
https://trac.transmissionbt.com/ticket/5002

Apparently there is no CVE assigned. The bug is fixed upstream and I’m 
attaching the patch. I’m currently testing a patched package, and will 
report whether the fix is sufficient.

Cheers,
-- 
 .''`.      Josselin Mouette
: :' :
`. `'
  `-

Index: trunk/third-party/libutp/utp.cpp
===================================================================
--- trunk/third-party/libutp/utp.cpp	(revision 13645)
+++ trunk/third-party/libutp/utp.cpp	(revision 13646)
@@ -1488,4 +1488,6 @@
 }
 
+enum { MAX_EACK = 128 };
+
 void UTPSocket::selective_ack(uint base, const byte *mask, byte len)
 {
@@ -1500,5 +1502,5 @@
 	// iterate in reverse over the acked packets, at the end, the top packets
 	// are the ones we want to resend
-	int resends[32];
+	int resends[MAX_EACK];
 	int nr = 0;
 
@@ -1573,4 +1575,10 @@
 			count >= DUPLICATE_ACKS_BEFORE_RESEND &&
 			duplicate_ack < DUPLICATE_ACKS_BEFORE_RESEND) {
+			// resends is a stack, and we're mostly interested in the top of it
+			// if we're full, just throw away the lower half
+			if (nr >= MAX_EACK - 2) {
+				memmove(resends, &resends[MAX_EACK/2], MAX_EACK/2 * sizeof(resends[0]));
+				nr -= MAX_EACK / 2;
+			}
 			resends[nr++] = v;
 			LOG_UTPV("0x%08x: no ack for %u", this, v);
@@ -1581,11 +1589,10 @@
 	} while (--bits >= -1);
 
-	if (((base - 1 - fast_resend_seq_nr) & ACK_NR_MASK) < 256 &&
-		count >= DUPLICATE_ACKS_BEFORE_RESEND &&
-		duplicate_ack < DUPLICATE_ACKS_BEFORE_RESEND) {
+	if (((base - 1 - fast_resend_seq_nr) & ACK_NR_MASK) <= OUTGOING_BUFFER_MAX_SIZE &&
+		count >= DUPLICATE_ACKS_BEFORE_RESEND) {
 		// if we get enough duplicate acks to start
 		// resending, the first packet we should resend
 		// is base-1
-		resends[nr++] = base - 1;
+		resends[nr++] = (base - 1) & ACK_NR_MASK;
 	} else {
 		LOG_UTPV("0x%08x: not resending %u count:%d dup_ack:%u fast_resend_seq_nr:%u",

Reply via email to