I-Toxcore, ukuqaliswa okuyisethenjwa kwephrothokholi yemiyalezo ye-Tox P2P, isengozini (CVE-2021-44847) engase iqalise ukukhishwa kwekhodi lapho kucutshungulwa iphakethe le-UDP elakhiwe ngokukhethekile. Bonke abasebenzisi bezinhlelo zokusebenza ezisekelwe ku-Toxcore abangenazo ezokuthutha ze-UDP ezikhutshaziwe bathintwa ubungozi. Ukuze uhlasele, kwanele ukuthumela iphakethe le-UDP wazi ikheli le-IP, imbobo yenethiwekhi kanye nokhiye womphakathi we-DHT wesisulu (lolu lwazi lutholakala esidlangalaleni ku-DHT, okungukuthi ukuhlasela kungenziwa kunoma yimuphi umsebenzisi noma inodi ye-DHT).
Inkinga yayikhona ekukhishweni kwe-toxcore 0.1.9 kuya ku-0.2.12 futhi yalungiswa kunguqulo 0.2.13. Phakathi kwezinhlelo zokusebenza zeklayenti, iphrojekthi ye-qTox kuphela kuze kube manje ekhiphe isibuyekezo esisusa ubungozi. Njengendlela yokuphepha, ungakhubaza i-UDP ngenkathi ugcina ukwesekwa kwe-TCP.
Ukuba sengozini kubangelwa ukuchichima kwebhafa kumsebenzi othi handle_request(), okwenzeka ngenxa yokubalwa okungalungile kosayizi wedatha kuphakethe lenethiwekhi. Ngokucacile, ubude bedatha ebethelwe banqunywa ku-macro CRYPTO_SIZE, echazwa ngokuthi "1 + CRYPTO_PUBLIC_KEY_SIZE * 2 + CRYPTO_NONCE_SIZE", eyasetshenziswa kamuva emsebenzini wokukhipha "ubude - CRYPTO_SIZE". Ngenxa yokungabikho kwabakaki ku-macro, esikhundleni sokukhipha isamba sawo wonke amanani, ikhiphe u-1 futhi yengeza izingxenye ezisele. Isibonelo, esikhundleni sokuthi "ubude - (1 + 32 * 2 + 24)", usayizi webhafa wabalwa ngokuthi "ubude - 1 + 32 * 2 + 24", okuholele ekubhaleni phezu kwedatha esitakini ngaphesheya komngcele webhafa.
Source: opennet.ru