[Security] Attempt to write outside buffer bounds

[jimmywarting]

• WebTorrent version: 1.2.2 (webtorrent 0.94.2)
• Node.js version: v6.2.0

UNEXPECTED ERROR: If this is a bug in WebTorrent, report it!
OPEN AN ISSUE: https://github.com/feross/webtorrent/issues

buffer.js:772
    throw new RangeError('Attempt to write outside buffer bounds');
    ^

RangeError: Attempt to write outside buffer bounds
    at Buffer.write (buffer.js:772:11)
    at fromString (buffer.js:238:26)
    at Function.Buffer.from (buffer.js:131:12)
    at new Buffer (buffer.js:112:17)
    at Function.encode.buffer (../webtorrent-cli/node_modules/bencode/lib/encode.js:61:17)
    at Function.encode.dict (../webtorrent-cli/node_modules/bencode/lib/encode.js:95:12)
    at Function.encode._encode (../webtorrent-cli/node_modules/bencode/lib/encode.js:46:18)
    at Object.encode (../webtorrent-cli/node_modules/bencode/lib/encode.js:12:10)
    at Wire._sendExtendedHandshake (../webtorrent-cli/node_modules/bittorrent-protocol/index.js:243:28)
    at Wire._onHandshake (../webtorrent-cli/node_modules/bittorrent-protocol/index.js:444:10)

[feross]

@jimmywarting Can you please answer the following:

• Were you running WebTorrent in Node.js or the browser?
• Are you using webtorrent-hybrid?
• What OS?
• How much RAM is available on the machine?

[feross]

Related issues:

webtorrent/bittorrent-tracker#94
webtorrent/webtorrent-desktop#472

[jimmywarting]

It only happened in the beginning when i open the magnet link
I tried with the webtorrent desktop app first but it only displayed something about wrong metadata.
So i went ahead and installed webtorrent-cli and tired it again. where this error log appeared.

Using Mac 10.11.4
and have 8GB of ram

But yea, they seems to be related, think i can close this.

btw, it only happened for 1 torrent file, the rest of the torrents i added the same day worked fine with the same version.

[feross]

This is definitely still a bug.

It's caused by two issues that together cause this behavior:

1. We're passing in a negative value to the Buffer constructor.
2. Node.js has a bug when you call the Buffer constructor with a negative value that messes up some internal state and causes later Buffer allocations to be buggy -- i.e. overlap previous Buffers or to throw RangeError exceptions! See Inexplicable "RangeError: Attempt to write outside buffer bounds" nodejs/node#7047 (comment) Pretty bad bug, IMO.

Node.js will fix the issue in a future release. We should validate user data better so that we're not accepting whatever random numbers the user gives us.

Going to re-open this issue to track progress toward that goal.

[feross]

PRs to ensure better type checking of arguments to Buffer():

• Use safe-buffer #821
• Use safe-buffer bittorrent-tracker#154
• Use safe-buffer bittorrent-dht#132
• Use safe-buffer bittorrent-protocol#20
• Use safe-buffer ut_metadata#17 (this one definitely would call Buffer() with a negative number if it received negative handshake.metadata_size from a remote peer)

[feross]

With the combination of using safe-buffer, fixing the one case I found where a negative number could be passed into Buffer(), and the fix to Node.js coming soon, I think this can be closed now.

If someone sees this in the wild using the latest (0.94.3) version of WebTorrent, please leave a comment or open a new issue and I'll investigate further.

[lock]

This thread has been automatically locked because it has not had recent activity. To discuss futher, please open a new issue.