From 707277788b57ab0a2fe012ccc184cf13e81bf85e Mon Sep 17 00:00:00 2001 From: leslie Date: Fri, 18 Sep 2009 20:15:23 +0800 Subject: [PATCH] cardclient-cccam2: precautions against full read buffer --- network.c | 5 +++++ systems/cardclient/cccam2.c | 16 +++++++++++++--- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/network.c b/network.c index 2ece6d4..a937b61 100644 --- a/network.c +++ b/network.c @@ -301,6 +301,11 @@ int cNetSocket::Read(unsigned char *data, int len, int timeout) if(timeout<0) timeout=rwTimeout; bool blockmode=true; if(len<0) { len=-len; blockmode=false; } + else if(len==0) { + PRINTF(L_GEN_DEBUG,"internal: zero length on socket read"); + errno=EINVAL; + return -1; + } int cnt=0, r; cTimeMs tim; do { diff --git a/systems/cardclient/cccam2.c b/systems/cardclient/cccam2.c index 7564159..313df0b 100644 --- a/systems/cardclient/cccam2.c +++ b/systems/cardclient/cccam2.c @@ -941,7 +941,13 @@ void cCardClientCCcam2::Action(void) int cnt=0; while(Running() && so.Connected()) { unsigned char recvbuff[1024]; - int len=CryptRecv(recvbuff+cnt,-(sizeof(recvbuff)-cnt),200); + int len=sizeof(recvbuff)-cnt; + if(len==0) { + HEXDUMP(L_GEN_DEBUG,recvbuff,sizeof(recvbuff),"internal: cccam2 read buffer overflow"); + Logout(); + break; + } + len=CryptRecv(recvbuff+cnt,-len,200); if(len>0) { HEXDUMP(L_CC_CCCAM2DT,recvbuff+cnt,len,"net read: len=%d cnt=%d",len,cnt+len); cnt+=len; @@ -950,13 +956,17 @@ void cCardClientCCcam2::Action(void) while(proc+4<=cnt) { struct CmdHeader *hdr=(struct CmdHeader *)(recvbuff+proc); int l=CMDLEN(hdr); + if(l>(int)sizeof(recvbuff)) + PRINTF(L_GEN_DEBUG,"internal: cccam2 cmd length exceed buffer size"); if(proc+l>cnt) break; LDUMP(L_CC_CCCAM2DT,hdr,l,"msg in:"); PacketAnalyzer(hdr,l); proc+=l; } - cnt-=proc; - memmove(recvbuff,recvbuff+proc,cnt); + if(proc) { + cnt-=proc; + memmove(recvbuff,recvbuff+proc,cnt); + } if(lastsend.TimedOut()) { static const struct CmdHeader ping = { 0,6,0 }; if(CryptSend((unsigned char *)&ping,sizeof(ping))<0) -- 2.39.5