One byte oobread in the rap server

author pancake <pancake@nopcode.org>

Thu, 25 Dec 2025 10:53:31 +0000 (11:53 +0100)

committer pancake <pancake@nopcode.org>

Thu, 25 Dec 2025 10:53:31 +0000 (11:53 +0100)
author pancake <pancake@nopcode.org>
Thu, 25 Dec 2025 10:53:31 +0000 (11:53 +0100)
committer pancake <pancake@nopcode.org>
Thu, 25 Dec 2025 10:53:31 +0000 (11:53 +0100)
diff --git a/.gitignore b/.gitignore

index 8b3fd9a37a87d0e55a1bd062dc1b88cba79f2f44..3d514dbd543483a8046ffc3fff7736528a3493f1 100644 (file)
--- a/.gitignore
+++ b/.gitignore
@@ -162,4 +162,4 @@ libr/bin/d/dll/*.c
  .personal_files/
  a
  poc
-poc.zip
+*.zip
diff --git a/libr/socket/socket_rap_server.c b/libr/socket/socket_rap_server.c

index 3641dbde47bc1d95d545d69bea4a0be8d24cff0b..361d61ba01ab08e4606df540d8cc24161421e20d 100644 (file)
--- a/libr/socket/socket_rap_server.c
+++ b/libr/socket/socket_rap_server.c
@@ -64,7 +64,7 @@ R_API bool r_socket_rap_server_continue(RSocketRapServer *s) {
                 r_socket_read_block (s->fd, &s->buf[1], 2);
                 {
                 int len = (int)(ut8)s->buf[2];
-               if (len > sizeof (s->buf) - 3) {
+               if (len >= sizeof (s->buf) - 3) {
                         R_LOG_ERROR ("rap: filename too long %d", len);
                         r_socket_close (s->fd);
                         return false;
author	pancake <pancake@nopcode.org>
	Thu, 25 Dec 2025 10:53:31 +0000 (11:53 +0100)
committer	pancake <pancake@nopcode.org>
	Thu, 25 Dec 2025 10:53:31 +0000 (11:53 +0100)
.gitignore		patch \| blob \| history
libr/socket/socket_rap_server.c		patch \| blob \| history