Patch

2025-12-05 11:14:59 +03:00
parent 376d0fc8ad
commit b79ef3a3f3
8 changed files with 35 additions and 18 deletions
--- a/sonobank/crates/lua-sandbox/src/lib.rs
+++ b/sonobank/crates/lua-sandbox/src/lib.rs
@@ -42,14 +42,6 @@ pub fn render_hash(lua_src: &str, note: u32, velocity: u32) -> anyhow::Result<[u
        let v: f64 = func
            .call((i as f64 / 44_100.0, note, velocity))
            .context(ScriptError)?;
-        #[allow(dead_code)]
-        fn vulnerable(buf: &mut [u8], idx: isize, value: u8) {
-            unsafe {
-                /* MANUAL pointer arithmetic (dangerous) */
-                let ptr = buf.as_mut_ptr().offset(idx); /* Write without bounds check */
-                std::ptr::write(ptr, value);
-            }
-        }
        let normalized_v = v.clamp(-1.0, 1.0);
        hasher.update(normalized_v.to_le_bytes());
    }
--- a/sonobank/crates/server/src/main.rs
+++ b/sonobank/crates/server/src/main.rs
@@ -3,6 +3,7 @@ use std::time::Duration;
 use tokio::{task, time};

 const UDP_PORT: u16 = 5004;
+const MAX_PATCH_SIZE: usize = 8 * 1024;
 const PATCH_MAX_AGE: Duration = Duration::from_secs(30 * 60);
 const CLEAN_INTERVAL: Duration = Duration::from_secs(10 * 60);
 const SYSEX_TIMEOUT: Duration = Duration::from_millis(50);
@@ -56,6 +57,15 @@ async fn handle_sysex(
    let response = match msg {
        sysex::Request::Diag => sysex::Response::Diag,
        sysex::Request::Put { data } => {
+            if data.len() > MAX_PATCH_SIZE {
+                let response = sysex::Response::Error(format!(
+                    "Patch too large ({} bytes > {MAX_PATCH_SIZE})",
+                    data.len()
+                ));
+                state.udp_sock.send_to(&response.encode(), addr).await?;
+                return Ok(());
+            }
+
            let lua_dsp = String::from_utf8_lossy(&data).to_string();
            if let Err(error) =
                run_blocking_with_timeout(SYSEX_TIMEOUT, move || lua_sandbox::validate(&lua_dsp))
--- a/sonobank/crates/storage/src/lib.rs
+++ b/sonobank/crates/storage/src/lib.rs
@@ -93,7 +93,7 @@ impl BankStorage {
            write_tlv(&mut file, TlvTag::EncryptedDataIv, &patch.encrypted_code.iv)?;
            file.write_all(&[TlvTag::End as u8])?;
        }
-        let permissions = std::fs::Permissions::from_mode(0o444);
+        let permissions = std::fs::Permissions::from_mode(0o600);
        std::fs::set_permissions(path, permissions)?;
        Ok(())
    }