From: leslie Date: Fri, 18 Sep 2009 12:15:23 +0000 (+0800) Subject: cardclient-cccam2: precautions against full read buffer X-Git-Tag: upstream/620~160 X-Git-Url: http://www.vanbest.org/gitweb/?a=commitdiff_plain;h=707277788b57ab0a2fe012ccc184cf13e81bf85e;p=sasc-ng.git cardclient-cccam2: precautions against full read buffer --- diff --git a/network.c b/network.c index 2ece6d4..a937b61 100644 --- a/network.c +++ b/network.c @@ -301,6 +301,11 @@ int cNetSocket::Read(unsigned char *data, int len, int timeout) if(timeout<0) timeout=rwTimeout; bool blockmode=true; if(len<0) { len=-len; blockmode=false; } + else if(len==0) { + PRINTF(L_GEN_DEBUG,"internal: zero length on socket read"); + errno=EINVAL; + return -1; + } int cnt=0, r; cTimeMs tim; do { diff --git a/systems/cardclient/cccam2.c b/systems/cardclient/cccam2.c index 7564159..313df0b 100644 --- a/systems/cardclient/cccam2.c +++ b/systems/cardclient/cccam2.c @@ -941,7 +941,13 @@ void cCardClientCCcam2::Action(void) int cnt=0; while(Running() && so.Connected()) { unsigned char recvbuff[1024]; - int len=CryptRecv(recvbuff+cnt,-(sizeof(recvbuff)-cnt),200); + int len=sizeof(recvbuff)-cnt; + if(len==0) { + HEXDUMP(L_GEN_DEBUG,recvbuff,sizeof(recvbuff),"internal: cccam2 read buffer overflow"); + Logout(); + break; + } + len=CryptRecv(recvbuff+cnt,-len,200); if(len>0) { HEXDUMP(L_CC_CCCAM2DT,recvbuff+cnt,len,"net read: len=%d cnt=%d",len,cnt+len); cnt+=len; @@ -950,13 +956,17 @@ void cCardClientCCcam2::Action(void) while(proc+4<=cnt) { struct CmdHeader *hdr=(struct CmdHeader *)(recvbuff+proc); int l=CMDLEN(hdr); + if(l>(int)sizeof(recvbuff)) + PRINTF(L_GEN_DEBUG,"internal: cccam2 cmd length exceed buffer size"); if(proc+l>cnt) break; LDUMP(L_CC_CCCAM2DT,hdr,l,"msg in:"); PacketAnalyzer(hdr,l); proc+=l; } - cnt-=proc; - memmove(recvbuff,recvbuff+proc,cnt); + if(proc) { + cnt-=proc; + memmove(recvbuff,recvbuff+proc,cnt); + } if(lastsend.TimedOut()) { static const struct CmdHeader ping = { 0,6,0 }; if(CryptSend((unsigned char *)&ping,sizeof(ping))<0)