185160 – [ConnectionUnix] readBytesFromSocket() wrongly compares cmsg_len with attachmentMaxAmount

NEW185160

[ConnectionUnix] readBytesFromSocket() wrongly compares cmsg_len with attachmentMaxAmount

https://bugs.webkit.org/show_bug.cgi?id=185160

Summary [ConnectionUnix] readBytesFromSocket() wrongly compares cmsg_len with attachm...

Yoshiaki Jitsukawa

Reported 2018-04-30 23:29:47 PDT

On the sender side, file descriptors can be attached up to attachmentMaxAmount = 255 and cmsg_len can be CMSG_LEN(0) + attachmentMaxAmount * sizeof(int). On the receiver side, however, readBytesFromSocket() is doing following comparison: if (controlMessage->cmsg_len < CMSG_LEN(0) || controlMessage->cmsg_len > attachmentMaxAmount) { ASSERT_NOT_REACHED(); break; } I suppose this should be (controlMessage->cmsg_len - CMSG_LEN(0)) / sizeof(int) > attachmentMaxAmount as fileDescriptorsCount is calclulated as: size_t fileDescriptorsCount = (controlMessage->cmsg_len - CMSG_LEN(0)) / sizeof(int);

Attachments
Patch (1.91 KB, patch) 2018-04-30 23:50 PDT, Yoshiaki Jitsukawa	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Yoshiaki Jitsukawa

Comment 1 2018-04-30 23:50:32 PDT

Created attachment 339189 [details] Patch

Alex Christensen

Comment 2 2021-11-01 12:06:54 PDT

Comment on attachment 339189 [details] Patch This has been requesting review for more than one year. If this is still needed, please rebase and re-request review.

Note You need to log in before you can comment on or make changes to this bug.

Status NEW

Resolution

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component WebKit Misc.

Assignee

Yoshiaki Jitsukawa

Reported

2018-04-30 23:29 PDT

Modified

2021-11-01 21:06 PDT History

CC List

2 users Show

URL

Keywords

Depends on

Blocks