WebKit Bugzilla
Attachment 339189 Details for
Bug 185160
: [ConnectionUnix] readBytesFromSocket() wrongly compares cmsg_len with attachmentMaxAmount
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug185160.patch (text/plain), 1.91 KB, created by
Yoshiaki Jitsukawa
on 2018-04-30 23:50:32 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Yoshiaki Jitsukawa
Created:
2018-04-30 23:50:32 PDT
Size:
1.91 KB
patch
obsolete
>diff --git a/Source/WebKit/ChangeLog b/Source/WebKit/ChangeLog >index b45b9c8b7b0..90109c8292a 100644 >--- a/Source/WebKit/ChangeLog >+++ b/Source/WebKit/ChangeLog >@@ -1,3 +1,19 @@ >+2018-04-30 Yoshiaki Jitsukawa <yoshiaki.jitsukawa@sony.com> >+ >+ [ConnectionUnix] readBytesFromSocket() wrongly compares cmsg_len with attachmentMaxAmount >+ https://bugs.webkit.org/show_bug.cgi?id=185160 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * Platform/IPC/unix/ConnectionUnix.cpp: >+ (IPC::readBytesFromSocket): >+ >+ Ensure cmsg_len is small enough by doing the comparison: >+ (controlMessage->cmsg_len - CMSG_LEN(0)) / sizeof(int) > attachmentMaxAmount >+ instead of: >+ controlMessage->cmsg_len > attachmentMaxAmount >+ since the sender may send up to attachmentMaxAmount * sizeof(int) byte data in a cmsg. >+ > 2018-04-30 Andy Estes <aestes@apple.com> > > [iOS] Try to unlock PDF documents before printing them >diff --git a/Source/WebKit/Platform/IPC/unix/ConnectionUnix.cpp b/Source/WebKit/Platform/IPC/unix/ConnectionUnix.cpp >index 3c46394e2e3..ff21567a77f 100644 >--- a/Source/WebKit/Platform/IPC/unix/ConnectionUnix.cpp >+++ b/Source/WebKit/Platform/IPC/unix/ConnectionUnix.cpp >@@ -271,7 +271,7 @@ static ssize_t readBytesFromSocket(int socketDescriptor, Vector<uint8_t>& buffer > struct cmsghdr* controlMessage; > for (controlMessage = CMSG_FIRSTHDR(&message); controlMessage; controlMessage = CMSG_NXTHDR(&message, controlMessage)) { > if (controlMessage->cmsg_level == SOL_SOCKET && controlMessage->cmsg_type == SCM_RIGHTS) { >- if (controlMessage->cmsg_len < CMSG_LEN(0) || controlMessage->cmsg_len > attachmentMaxAmount) { >+ if (controlMessage->cmsg_len < CMSG_LEN(0) || (controlMessage->cmsg_len - CMSG_LEN(0)) / sizeof(int) > attachmentMaxAmount) { > ASSERT_NOT_REACHED(); > break; > }
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=339189">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 185160
: 339189