185160 2018-04-30 23:29:47 -0700 [ConnectionUnix] readBytesFromSocket() wrongly compares cmsg_len with attachmentMaxAmount 2021-11-01 21:06:50 -0700 1 1 1 Unclassified WebKit WebKit Misc. WebKit Nightly Build Unspecified Unspecified NEW P2 Normal --- 1 yoshiaki.jitsukawa yoshiaki.jitsukawa achristensen yoshiaki.jitsukawa oldest_to_newest 1419267 0 yoshiaki.jitsukawa 2018-04-30 23:29:47 -0700 On the sender side, file descriptors can be attached up to attachmentMaxAmount = 255 and cmsg_len can be CMSG_LEN(0) + attachmentMaxAmount * sizeof(int). On the receiver side, however, readBytesFromSocket() is doing following comparison: if (controlMessage->cmsg_len < CMSG_LEN(0) || controlMessage->cmsg_len > attachmentMaxAmount) { ASSERT_NOT_REACHED(); break; } I suppose this should be (controlMessage->cmsg_len - CMSG_LEN(0)) / sizeof(int) > attachmentMaxAmount as fileDescriptorsCount is calclulated as: size_t fileDescriptorsCount = (controlMessage->cmsg_len - CMSG_LEN(0)) / sizeof(int); 1419274 1 339189 yoshiaki.jitsukawa 2018-04-30 23:50:32 -0700 Created attachment 339189 Patch 1810734 2 339189 achristensen 2021-11-01 12:06:54 -0700 Comment on attachment 339189 Patch This has been requesting review for more than one year. If this is still needed, please rebase and re-request review. 339189 2018-04-30 23:50:32 -0700 2021-11-01 12:06:54 -0700 Patch bug185160.patch text/plain 1959 yoshiaki.jitsukawa ZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJLaXQvQ2hhbmdlTG9nIGIvU291cmNlL1dlYktpdC9DaGFu Z2VMb2cKaW5kZXggYjQ1YjljOGI3YjAuLjkwMTA5YzgyOTJhIDEwMDY0NAotLS0gYS9Tb3VyY2Uv V2ViS2l0L0NoYW5nZUxvZworKysgYi9Tb3VyY2UvV2ViS2l0L0NoYW5nZUxvZwpAQCAtMSwzICsx LDE5IEBACisyMDE4LTA0LTMwICBZb3NoaWFraSBKaXRzdWthd2EgIDx5b3NoaWFraS5qaXRzdWth d2FAc29ueS5jb20+CisKKyAgICAgICAgW0Nvbm5lY3Rpb25Vbml4XSByZWFkQnl0ZXNGcm9tU29j a2V0KCkgd3JvbmdseSBjb21wYXJlcyBjbXNnX2xlbiB3aXRoIGF0dGFjaG1lbnRNYXhBbW91bnQK KyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTE4NTE2MAor CisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgICogUGxhdGZv cm0vSVBDL3VuaXgvQ29ubmVjdGlvblVuaXguY3BwOgorICAgICAgICAoSVBDOjpyZWFkQnl0ZXNG cm9tU29ja2V0KToKKworICAgICAgICBFbnN1cmUgY21zZ19sZW4gaXMgc21hbGwgZW5vdWdoIGJ5 IGRvaW5nIHRoZSBjb21wYXJpc29uOgorICAgICAgICAgIChjb250cm9sTWVzc2FnZS0+Y21zZ19s ZW4gLSBDTVNHX0xFTigwKSkgLyBzaXplb2YoaW50KSA+IGF0dGFjaG1lbnRNYXhBbW91bnQKKyAg ICAgICAgaW5zdGVhZCBvZjoKKyAgICAgICAgICBjb250cm9sTWVzc2FnZS0+Y21zZ19sZW4gPiBh dHRhY2htZW50TWF4QW1vdW50CisgICAgICAgIHNpbmNlIHRoZSBzZW5kZXIgbWF5IHNlbmQgdXAg dG8gYXR0YWNobWVudE1heEFtb3VudCAqIHNpemVvZihpbnQpIGJ5dGUgZGF0YSBpbiBhIGNtc2cu CisKIDIwMTgtMDQtMzAgIEFuZHkgRXN0ZXMgIDxhZXN0ZXNAYXBwbGUuY29tPgogCiAgICAgICAg IFtpT1NdIFRyeSB0byB1bmxvY2sgUERGIGRvY3VtZW50cyBiZWZvcmUgcHJpbnRpbmcgdGhlbQpk aWZmIC0tZ2l0IGEvU291cmNlL1dlYktpdC9QbGF0Zm9ybS9JUEMvdW5peC9Db25uZWN0aW9uVW5p eC5jcHAgYi9Tb3VyY2UvV2ViS2l0L1BsYXRmb3JtL0lQQy91bml4L0Nvbm5lY3Rpb25Vbml4LmNw cAppbmRleCAzYzQ2Mzk0ZTJlMy4uZmYyMTU2N2E3N2YgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJL aXQvUGxhdGZvcm0vSVBDL3VuaXgvQ29ubmVjdGlvblVuaXguY3BwCisrKyBiL1NvdXJjZS9XZWJL aXQvUGxhdGZvcm0vSVBDL3VuaXgvQ29ubmVjdGlvblVuaXguY3BwCkBAIC0yNzEsNyArMjcxLDcg QEAgc3RhdGljIHNzaXplX3QgcmVhZEJ5dGVzRnJvbVNvY2tldChpbnQgc29ja2V0RGVzY3JpcHRv ciwgVmVjdG9yPHVpbnQ4X3Q+JiBidWZmZXIKICAgICAgICAgc3RydWN0IGNtc2doZHIqIGNvbnRy b2xNZXNzYWdlOwogICAgICAgICBmb3IgKGNvbnRyb2xNZXNzYWdlID0gQ01TR19GSVJTVEhEUigm bWVzc2FnZSk7IGNvbnRyb2xNZXNzYWdlOyBjb250cm9sTWVzc2FnZSA9IENNU0dfTlhUSERSKCZt ZXNzYWdlLCBjb250cm9sTWVzc2FnZSkpIHsKICAgICAgICAgICAgIGlmIChjb250cm9sTWVzc2Fn ZS0+Y21zZ19sZXZlbCA9PSBTT0xfU09DS0VUICYmIGNvbnRyb2xNZXNzYWdlLT5jbXNnX3R5cGUg PT0gU0NNX1JJR0hUUykgewotICAgICAgICAgICAgICAgIGlmIChjb250cm9sTWVzc2FnZS0+Y21z Z19sZW4gPCBDTVNHX0xFTigwKSB8fCBjb250cm9sTWVzc2FnZS0+Y21zZ19sZW4gPiBhdHRhY2ht ZW50TWF4QW1vdW50KSB7CisgICAgICAgICAgICAgICAgaWYgKGNvbnRyb2xNZXNzYWdlLT5jbXNn X2xlbiA8IENNU0dfTEVOKDApIHx8IChjb250cm9sTWVzc2FnZS0+Y21zZ19sZW4gLSBDTVNHX0xF TigwKSkgLyBzaXplb2YoaW50KSA+IGF0dGFjaG1lbnRNYXhBbW91bnQpIHsKICAgICAgICAgICAg ICAgICAgICAgQVNTRVJUX05PVF9SRUFDSEVEKCk7CiAgICAgICAgICAgICAgICAgICAgIGJyZWFr OwogICAgICAgICAgICAgICAgIH0K