[Linuxdcpp-team] [Bug 901237] Re: Possible crash by remote client when downloading partial filelist

Thu, 29 Dec 2011 06:51:25 -0800 

Fixed in DC++ 0.790.

** Changed in: dcplusplus
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of
Dcplusplus-team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/901237

Title:
  Possible crash by remote client when downloading partial filelist

Status in DC++:
  Fix Released

Bug description:
  This report is just about the bug we discussed in DCDev yesterday.

  * when client wants to download full/partial filelist, the list name is 
generated as <current_nick>.<CID>
  * when partial filelist is finished, it must be found in queue so it is 
deleted from there. However, the list name is generated again as 
<current_nick>.<CID>
  * if remote user's nick is changed before the list is finished, the item will 
not be found in the queue and stay there forever
  * problem is that object responsible for downloading (class Download) is 
deallocated correctly which result that non-deleted queue item holds info about 
invalid Download object.
  * when operation above this object is performed (e.g. item is deleted from 
queue later), it will end up with access violation

  Possible remote exploit:
  When partial list request is received, send BINF with new nick to hub, wait a 
second and then normally provide partial list to the client.

  Behaviour:
  Client requesting partial list will end up in infinite downloading of partial 
list.. Assertion in QueueManager::addDownload is hit on every request in debug 
build.
  When deleting the list from queue manually, it can crash. It does not crash 
always but I think it depends whether the "invalid" memory has already been 
reused or not.

  Possible solutions:
  a) generate filelist name as <CID> only (I guess on-the-fly CID change is not 
allowed)
  b) do not perform queue search by new generation of list name but use 
different method.

To manage notifications about this bug go to:
https://bugs.launchpad.net/dcplusplus/+bug/901237/+subscriptions

_______________________________________________
Mailing list: https://launchpad.net/~linuxdcpp-team
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~linuxdcpp-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to