Skip to content

Client UDP malformed-packet logging can read past a one-byte packet

Summary

Client UDP receive handling detects packets shorter than the two-byte protocol and opcode header, but the error logging path still reads pBuffer[1] unconditionally. A one-byte malformed post-decrypt packet can therefore read past the logical packet length.

This blocks Beta 0.7.3 because malformed remote UDP input must not cause out-of-bounds reads, even in diagnostics.

Evidence

  • srchybrid/ClientUDPSocket.cpp:91 switches on pBuffer[0].
  • srchybrid/ClientUDPSocket.cpp:93 detects nPacketLen < 2.
  • srchybrid/ClientUDPSocket.cpp:179 logs pBuffer[1] unconditionally.

Execution Plan

  1. Revalidate all error logging paths in CClientUDPSocket::OnReceive.
  2. Guard opcode logging behind nPacketLen >= 2.
  3. Use a sentinel or text marker for missing opcode on shorter packets.
  4. Keep valid ED2K and Kad packet processing unchanged.
  5. Add seam/unit coverage for zero-byte and one-byte post-decrypt payloads.

Acceptance Criteria

  • No logging path reads past nPacketLen.
  • Malformed one-byte packets produce safe diagnostics.
  • Valid Kad and ED2K UDP packet handling is unchanged.

Validation

  • 2026-05-08: Done in app commit 1af8bb5 and test commit cfe9b96.
  • python -m emule_workspace validate --workspace-root .
  • python -m emule_workspace build app --workspace-root . --config Release --platform x64 --variant main
  • python -m emule_workspace build tests --workspace-root . --config Release --platform x64 --test-run-variant main
  • repos\emulebb-build-tests\build\eMulebb-workspace-v0.72a-eMule-main\x64\Release\emule-tests.exe --test-suite=parity --test-case="Client UDP seam only reads diagnostic opcode when packet contains it": 8 assertions passed.