221544 – NetworkRTCSocketCocoa extractDataMessages should not read too much data

Bug 221544 - NetworkRTCSocketCocoa extractDataMessages should not read too much data

Summary: NetworkRTCSocketCocoa extractDataMessages should not read too much data

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebRTC (show other bugs)
Version:	WebKit Local Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	youenn fablet

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2021-02-08 04:34 PST by youenn fablet
Modified:	2021-02-08 11:47 PST (History)
CC List:	13 users (show)

See Also:

Attachments
Patch (26.20 KB, patch) 2021-02-08 05:44 PST, youenn fablet	ews-feeder: commit-queue-	Details \| Formatted Diff \| Diff
Patch (27.20 KB, patch) 2021-02-08 06:12 PST, youenn fablet	no flags	Details \| Formatted Diff \| Diff
Patch (26.16 KB, patch) 2021-02-08 07:08 PST, youenn fablet	no flags	Details \| Formatted Diff \| Diff
Patch for landing (26.29 KB, patch) 2021-02-08 09:04 PST, youenn fablet	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (3) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description youenn fablet 2021-02-08 04:34:03 PST

NetworkRTCSocketCocoa extractDataMessages should not read too much data

Comment 1 youenn fablet 2021-02-08 05:44:33 PST

Created attachment 419578 [details]
Patch

Comment 2 youenn fablet 2021-02-08 06:12:29 PST

Created attachment 419583 [details]
Patch

Comment 3 youenn fablet 2021-02-08 07:08:41 PST

Created attachment 419588 [details]
Patch

Comment 4 Eric Carlson 2021-02-08 08:49:07 PST

Comment on attachment 419588 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=419588&action=review

> Source/WebCore/Modules/mediastream/STUNMessageParsing.cpp:96
> +        bool canReadLength = size >= 2;
> +        size_t length = canReadLength ? be16toh(*reinterpret_cast<const uint16_t*>(data)) : 0;
> +        if (!canReadLength || length > size - 2) {

`2` would be better as a named const initialized with sizeof

> Source/WebCore/Modules/mediastream/STUNMessageParsing.cpp:106
> +        data += 2;
> +        size -= 2;

Ditto

Comment 5 youenn fablet 2021-02-08 09:04:14 PST

Created attachment 419596 [details]
Patch for landing

Comment 6 youenn fablet 2021-02-08 09:04:43 PST

(In reply to Eric Carlson from comment #4)
> Comment on attachment 419588 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=419588&action=review
> 
> > Source/WebCore/Modules/mediastream/STUNMessageParsing.cpp:96
> > +        bool canReadLength = size >= 2;
> > +        size_t length = canReadLength ? be16toh(*reinterpret_cast<const uint16_t*>(data)) : 0;
> > +        if (!canReadLength || length > size - 2) {
> 
> `2` would be better as a named const initialized with sizeof
> 
> > Source/WebCore/Modules/mediastream/STUNMessageParsing.cpp:106
> > +        data += 2;
> > +        size -= 2;
> 
> Ditto

Done, thanks!

Comment 7 youenn fablet 2021-02-08 11:35:45 PST

<rdar://problem/73962727>

Comment 8 youenn fablet 2021-02-08 11:36:14 PST

Comment on attachment 419596 [details]
Patch for landing

win failure is unrelated

Comment 9 EWS 2021-02-08 11:47:34 PST

Committed r272504: <https://commits.webkit.org/r272504>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 419596 [details].