NEW185160
[ConnectionUnix] readBytesFromSocket() wrongly compares cmsg_len with attachmentMaxAmount
https://bugs.webkit.org/show_bug.cgi?id=185160
Summary [ConnectionUnix] readBytesFromSocket() wrongly compares cmsg_len with attachm...
Yoshiaki Jitsukawa
Reported 2018-04-30 23:29:47 PDT
On the sender side, file descriptors can be attached up to attachmentMaxAmount = 255 and cmsg_len can be CMSG_LEN(0) + attachmentMaxAmount * sizeof(int). On the receiver side, however, readBytesFromSocket() is doing following comparison: if (controlMessage->cmsg_len < CMSG_LEN(0) || controlMessage->cmsg_len > attachmentMaxAmount) { ASSERT_NOT_REACHED(); break; } I suppose this should be (controlMessage->cmsg_len - CMSG_LEN(0)) / sizeof(int) > attachmentMaxAmount as fileDescriptorsCount is calclulated as: size_t fileDescriptorsCount = (controlMessage->cmsg_len - CMSG_LEN(0)) / sizeof(int);
Attachments
Patch (1.91 KB, patch)
2018-04-30 23:50 PDT, Yoshiaki Jitsukawa
no flags
Yoshiaki Jitsukawa
Comment 1 2018-04-30 23:50:32 PDT
Alex Christensen
Comment 2 2021-11-01 12:06:54 PDT
Comment on attachment 339189 [details] Patch This has been requesting review for more than one year. If this is still needed, please rebase and re-request review.
Note You need to log in before you can comment on or make changes to this bug.