| Summary: | [ConnectionUnix] readBytesFromSocket() wrongly compares cmsg_len with attachmentMaxAmount | ||||||
|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Yoshiaki Jitsukawa <yoshiaki.jitsukawa> | ||||
| Component: | WebKit Misc. | Assignee: | Yoshiaki Jitsukawa <yoshiaki.jitsukawa> | ||||
| Status: | NEW --- | ||||||
| Severity: | Normal | CC: | achristensen, yoshiaki.jitsukawa | ||||
| Priority: | P2 | ||||||
| Version: | WebKit Nightly Build | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Attachments: |
|
||||||
Created attachment 339189 [details]
Patch
Comment on attachment 339189 [details]
Patch
This has been requesting review for more than one year. If this is still needed, please rebase and re-request review.
|
On the sender side, file descriptors can be attached up to attachmentMaxAmount = 255 and cmsg_len can be CMSG_LEN(0) + attachmentMaxAmount * sizeof(int). On the receiver side, however, readBytesFromSocket() is doing following comparison: if (controlMessage->cmsg_len < CMSG_LEN(0) || controlMessage->cmsg_len > attachmentMaxAmount) { ASSERT_NOT_REACHED(); break; } I suppose this should be (controlMessage->cmsg_len - CMSG_LEN(0)) / sizeof(int) > attachmentMaxAmount as fileDescriptorsCount is calclulated as: size_t fileDescriptorsCount = (controlMessage->cmsg_len - CMSG_LEN(0)) / sizeof(int);