Bug 185160

Summary: [ConnectionUnix] readBytesFromSocket() wrongly compares cmsg_len with attachmentMaxAmount
Product: WebKit Reporter: Yoshiaki Jitsukawa <yoshiaki.jitsukawa>
Component: WebKit Misc.Assignee: Yoshiaki Jitsukawa <yoshiaki.jitsukawa>
Status: NEW    
Severity: Normal CC: achristensen, yoshiaki.jitsukawa
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch none

Yoshiaki Jitsukawa
Reported 2018-04-30 23:29:47 PDT
On the sender side, file descriptors can be attached up to attachmentMaxAmount = 255 and cmsg_len can be CMSG_LEN(0) + attachmentMaxAmount * sizeof(int). On the receiver side, however, readBytesFromSocket() is doing following comparison: if (controlMessage->cmsg_len < CMSG_LEN(0) || controlMessage->cmsg_len > attachmentMaxAmount) { ASSERT_NOT_REACHED(); break; } I suppose this should be (controlMessage->cmsg_len - CMSG_LEN(0)) / sizeof(int) > attachmentMaxAmount as fileDescriptorsCount is calclulated as: size_t fileDescriptorsCount = (controlMessage->cmsg_len - CMSG_LEN(0)) / sizeof(int);
Attachments
Patch (1.91 KB, patch)
2018-04-30 23:50 PDT, Yoshiaki Jitsukawa 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Yoshiaki Jitsukawa
Comment 1 2018-04-30 23:50:32 PDT
Created attachment 339189 [details] Patch
Alex Christensen
Comment 2 2021-11-01 12:06:54 PDT
Comment on attachment 339189 [details] Patch This has been requesting review for more than one year. If this is still needed, please rebase and re-request review.
Note You need to log in before you can comment on or make changes to this bug.