From 124d23aca82a1a318fd142bdd634ffb15b9d1ce4 Mon Sep 17 00:00:00 2001 From: Alexander Zinchuk Date: Fri, 10 Dec 2021 18:32:20 +0100 Subject: [PATCH] GramJs: Prevent duplicate message ID attack (#1563) --- src/lib/gramjs/network/MTProtoState.js | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/src/lib/gramjs/network/MTProtoState.js b/src/lib/gramjs/network/MTProtoState.js index 0f5550d24..21e7a5411 100644 --- a/src/lib/gramjs/network/MTProtoState.js +++ b/src/lib/gramjs/network/MTProtoState.js @@ -49,6 +49,7 @@ class MTProtoState { this.id = undefined; this._sequence = undefined; this._lastMsgId = undefined; + this.msgIds = []; this.reset(); } @@ -60,6 +61,7 @@ class MTProtoState { this.id = Helpers.generateRandomLong(true); this._sequence = 0; this._lastMsgId = BigInt(0); + this.msgIds = []; } /** @@ -196,6 +198,16 @@ class MTProtoState { } const remoteMsgId = reader.readLong(); + // if we get a duplicate message id we should ignore it. + if (this.msgIds.includes(remoteMsgId.toString())) { + throw new SecurityError('Duplicate msgIds'); + } + // we only store the latest 500 message ids from the server + if (this.msgIds.length > 500) { + this.msgIds.shift(); + } + this.msgIds.push(remoteMsgId.toString()); + const remoteSequence = reader.readInt(); const containerLen = reader.readInt(); // msgLen for the inner object, padding ignored const diff = body.length - containerLen;