From 91b51b47692d5032b1216116c430e77791fde7fe Mon Sep 17 00:00:00 2001
From: Stanislav <me@h3xco.de>
Date: Wed, 18 May 2022 09:59:55 +0000
Subject: [PATCH] Fix MTProtoState to check if remote msg_id is correct (#3753)

---
 telethon/_network/mtprotostate.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/telethon/_network/mtprotostate.py b/telethon/_network/mtprotostate.py
index 19578da3..ca7cb3ea 100644
--- a/telethon/_network/mtprotostate.py
+++ b/telethon/_network/mtprotostate.py
@@ -52,7 +52,7 @@ class MTProtoState:
         self.time_offset = 0
         self.salt = 0
 
-        self.id = self._sequence = self._last_msg_id = None
+        self.id = self._sequence = self._last_msg_id = self._last_remote_msg_id = None
         self.reset()
 
     def reset(self):
@@ -63,6 +63,7 @@ class MTProtoState:
         self.id = struct.unpack('q', os.urandom(8))[0]
         self._sequence = 0
         self._last_msg_id = 0
+        self._last_remote_msg_id = 0
 
     def update_message_id(self, message):
         """
@@ -158,6 +159,10 @@ class MTProtoState:
             raise SecurityError('Server replied with a wrong session ID')
 
         remote_msg_id = reader.read_long()
+        if remote_msg_id <= self._last_remote_msg_id:
+            raise SecurityError('Server replied with a wrong message ID')
+        self._last_remote_msg_id = remote_msg_id
+        
         remote_sequence = reader.read_int()
         reader.read_int()  # msg_len for the inner object, padding ignored