From f3468edf195e66eb0fdb8f8c69a79992db5870a8 Mon Sep 17 00:00:00 2001 From: Jimmy Zelinskie Date: Sat, 15 Jan 2022 14:25:39 -0500 Subject: [PATCH] frontend/http: avoid overflows parsing queryparams --- bittorrent/params.go | 4 ++-- frontend/http/parser.go | 10 +++++----- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/bittorrent/params.go b/bittorrent/params.go index b820108..19be5c3 100644 --- a/bittorrent/params.go +++ b/bittorrent/params.go @@ -189,13 +189,13 @@ func (qp *QueryParams) String(key string) (string, bool) { // Uint64 returns a uint parsed from a query. After being called, it is safe to // cast the uint64 to your desired length. -func (qp *QueryParams) Uint64(key string) (uint64, error) { +func (qp *QueryParams) Uint64(key string, bitSize int) (uint64, error) { str, exists := qp.params[key] if !exists { return 0, ErrKeyNotFound } - val, err := strconv.ParseUint(str, 10, 64) + val, err := strconv.ParseUint(str, 10, bitSize) if err != nil { return 0, err } diff --git a/frontend/http/parser.go b/frontend/http/parser.go index ca53e87..e690ec2 100644 --- a/frontend/http/parser.go +++ b/frontend/http/parser.go @@ -73,25 +73,25 @@ func ParseAnnounce(r *http.Request, opts ParseOptions) (*bittorrent.AnnounceRequ request.Peer.ID = bittorrent.PeerIDFromString(peerID) // Determine the number of remaining bytes for the client. - request.Left, err = qp.Uint64("left") + request.Left, err = qp.Uint64("left", 64) if err != nil { return nil, bittorrent.ClientError("failed to parse parameter: left") } // Determine the number of bytes downloaded by the client. - request.Downloaded, err = qp.Uint64("downloaded") + request.Downloaded, err = qp.Uint64("downloaded", 64) if err != nil { return nil, bittorrent.ClientError("failed to parse parameter: downloaded") } // Determine the number of bytes shared by the client. - request.Uploaded, err = qp.Uint64("uploaded") + request.Uploaded, err = qp.Uint64("uploaded", 64) if err != nil { return nil, bittorrent.ClientError("failed to parse parameter: uploaded") } // Determine the number of peers the client wants in the response. - numwant, err := qp.Uint64("numwant") + numwant, err := qp.Uint64("numwant", 32) if err != nil && err != bittorrent.ErrKeyNotFound { return nil, bittorrent.ClientError("failed to parse parameter: numwant") } @@ -100,7 +100,7 @@ func ParseAnnounce(r *http.Request, opts ParseOptions) (*bittorrent.AnnounceRequ request.NumWant = uint32(numwant) // Parse the port where the client is listening. - port, err := qp.Uint64("port") + port, err := qp.Uint64("port", 16) if err != nil { return nil, bittorrent.ClientError("failed to parse parameter: port") }