From 7be2b458c809cbfc162fa17e0bd2065d4c2f08d9 Mon Sep 17 00:00:00 2001 From: David Anderson Date: Thu, 5 Sep 2024 14:59:14 -0700 Subject: [PATCH] client: fix potential byte count overflow In many places we use int where in theory we should use size_t or ssize_t. This would cause problems if things like RPC messages exceeded 2GB. --- client/gui_rpc_server_ops.cpp | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/client/gui_rpc_server_ops.cpp b/client/gui_rpc_server_ops.cpp index 1483baacb3..ec4e2552a0 100644 --- a/client/gui_rpc_server_ops.cpp +++ b/client/gui_rpc_server_ops.cpp @@ -1987,20 +1987,20 @@ void GUI_RPC_CONN::handle_get() { // return nonzero only if we need to close the connection // int GUI_RPC_CONN::handle_rpc() { - int n, retval=0; + int retval=0; char* p; int left = GUI_RPC_REQ_MSG_SIZE - request_nbytes; #ifdef _WIN32 - n = recv(sock, request_msg+request_nbytes, left, 0); + SSIZE_T nb = recv(sock, request_msg+request_nbytes, left, 0); #else - n = read(sock, request_msg+request_nbytes, left); + ssize_t nb = read(sock, request_msg+request_nbytes, left); #endif - if (n <= 0) { + if (nb <= 0) { request_nbytes = 0; return ERR_READ; } - request_nbytes += n; + request_nbytes += nb; // buffer full? if (request_nbytes >= GUI_RPC_REQ_MSG_SIZE) { @@ -2102,6 +2102,7 @@ int GUI_RPC_CONN::handle_rpc() { if (!http_request) { mfout.printf("\003"); // delimiter for non-HTTP replies } + int n; mout.get_buf(p, n); if (http_request) { char buf[1024];