[Phex-svn] SF.net SVN: phex:[4479] phex/trunk/src/main/java/phex

[<gr...@us...>]

Revision: 4479
          http://phex.svn.sourceforge.net/phex/?rev=4479&view=rev
Author:   gregork
Date:     2009-07-26 13:37:12 +0000 (Sun, 26 Jul 2009)

Log Message:
-----------
ensure a faulty header length wont cause OOM error

Modified Paths:
--------------
    phex/trunk/src/main/java/phex/connection/BrowseHostConnection.java
    phex/trunk/src/main/java/phex/msg/MessageProcessor.java
    phex/trunk/src/main/java/phex/msghandling/UdpMessageDataHandler.java

Modified: phex/trunk/src/main/java/phex/connection/BrowseHostConnection.java
===================================================================
--- phex/trunk/src/main/java/phex/connection/BrowseHostConnection.java	2009-07-26 11:35:04 UTC (rev 4478)
+++ phex/trunk/src/main/java/phex/connection/BrowseHostConnection.java	2009-07-26 13:37:12 UTC (rev 4479)
@@ -45,6 +45,7 @@
 import phex.net.connection.Connection;
 import phex.net.connection.SocketFactory;
 import phex.net.repres.SocketFacade;
+import phex.prefs.core.MessagePrefs;
 import phex.query.BrowseHostResults;
 import phex.servent.Servent;
 
@@ -161,6 +162,15 @@
                 {
                     throw new BrowseHostException( "Wrong header payload. Expecting query hit: " + header.getPayload() );
                 }
+                int length = header.getDataLength();
+                if ( length < 0 )
+                {
+                    throw new IOException( "Negative body size. Drop." );
+                }
+                else if ( length > MessagePrefs.MaxLength.get().intValue() )
+                {
+                    throw new IOException("Packet too big ("+length+"). Drop.");
+                }
                 try
                 {
                     QueryResponseMsg message = ( QueryResponseMsg )MessageProcessor.parseMessage(

Modified: phex/trunk/src/main/java/phex/msg/MessageProcessor.java
===================================================================
--- phex/trunk/src/main/java/phex/msg/MessageProcessor.java	2009-07-26 11:35:04 UTC (rev 4478)
+++ phex/trunk/src/main/java/phex/msg/MessageProcessor.java	2009-07-26 13:37:12 UTC (rev 4479)
@@ -28,6 +28,7 @@
 import phex.common.log.NLogger;
 import phex.msg.vendor.VendorMsg;
 import phex.net.connection.Connection;
+import phex.prefs.core.MessagePrefs;
 import phex.security.PhexSecurityManager;
 import phex.utils.IOUtil;
 
@@ -47,6 +48,15 @@
         {
             throw new IOException("Connection closed by remote host");
         }
+        int length = header.getDataLength();
+        if ( length < 0 )
+        {
+            throw new IOException( "Negative body size. Drop." );
+        }
+        else if ( length > MessagePrefs.MaxLength.get().intValue() )
+        {
+            throw new IOException("Packet too big ("+length+"). Drop.");
+        }
         return parseMessage( header, connection, securityService );
     }
     
@@ -148,7 +158,7 @@
         return parseMessageHeader( ByteBuffer.wrap( buffer ) );
     }
 
-    public static MsgHeader parseMessageHeader( ByteBuffer buffer )
+    public static MsgHeader parseMessageHeader( ByteBuffer buffer ) 
     {
         byte[] guidArr = new byte[ GUID.DATA_LENGTH ];
         buffer.get( guidArr );

Modified: phex/trunk/src/main/java/phex/msghandling/UdpMessageDataHandler.java
===================================================================
--- phex/trunk/src/main/java/phex/msghandling/UdpMessageDataHandler.java	2009-07-26 11:35:04 UTC (rev 4478)
+++ phex/trunk/src/main/java/phex/msghandling/UdpMessageDataHandler.java	2009-07-26 13:37:12 UTC (rev 4479)
@@ -45,6 +45,7 @@
 import phex.msg.vendor.VendorMsg;
 import phex.net.UdpDataHandler;
 import phex.net.UdpService;
+import phex.prefs.core.MessagePrefs;
 import phex.security.AccessType;
 import phex.security.PhexSecurityManager;
 import phex.servent.Servent;
@@ -52,6 +53,7 @@
 import phex.statistic.StatisticProvider;
 import phex.statistic.StatisticsManager;
 import phex.udp.UdpGuidRoutingTable;
+import phex.utils.HexConverter;
 
 public class UdpMessageDataHandler implements UdpDataHandler
 {
@@ -104,7 +106,17 @@
             headerBuffer.flip();
             MsgHeader msgHeader = MessageProcessor.parseMessageHeader( headerBuffer );
             
-            ByteBuffer bodyBuffer = ByteBuffer.allocate( msgHeader.getDataLength() );
+            int length = msgHeader.getDataLength();
+            if ( length < 0 )
+            {
+                throw new IOException( "Negative body size. Drop." );
+            }
+            else if ( length > MessagePrefs.MaxLength.get().intValue() )
+            {
+                throw new IOException("Packet too big ("+length+"). Drop.");
+            }
+            
+            ByteBuffer bodyBuffer = ByteBuffer.allocate( length );
             dataSource.read( bodyBuffer );
             bodyBuffer.flip();
             


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.