RESOLVED FIXED Bug 221544
NetworkRTCSocketCocoa extractDataMessages should not read too much data 
https://bugs.webkit.org/show_bug.cgi?id=221544
Summary NetworkRTCSocketCocoa extractDataMessages should not read too much data
youenn fablet
Reported 2021-02-08 04:34:03 PST
NetworkRTCSocketCocoa extractDataMessages should not read too much data
Attachments
Patch (26.20 KB, patch)
2021-02-08 05:44 PST, youenn fablet 		ews-feeder: commit-queue-
DetailsFormatted DiffDiff
Patch (27.20 KB, patch)
2021-02-08 06:12 PST, youenn fablet 		no flags
DetailsFormatted DiffDiff
Patch (26.16 KB, patch)
2021-02-08 07:08 PST, youenn fablet 		no flags
DetailsFormatted DiffDiff
Patch for landing (26.29 KB, patch)
2021-02-08 09:04 PST, youenn fablet 		no flags
DetailsFormatted DiffDiff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.
youenn fablet
Comment 1 2021-02-08 05:44:33 PST
Created attachment 419578 [details] Patch
youenn fablet
Comment 2 2021-02-08 06:12:29 PST
Created attachment 419583 [details] Patch
youenn fablet
Comment 3 2021-02-08 07:08:41 PST
Created attachment 419588 [details] Patch
Eric Carlson
Comment 4 2021-02-08 08:49:07 PST
Comment on attachment 419588 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=419588&action=review > Source/WebCore/Modules/mediastream/STUNMessageParsing.cpp:96 > + bool canReadLength = size >= 2; > + size_t length = canReadLength ? be16toh(*reinterpret_cast<const uint16_t*>(data)) : 0; > + if (!canReadLength || length > size - 2) { `2` would be better as a named const initialized with sizeof > Source/WebCore/Modules/mediastream/STUNMessageParsing.cpp:106 > + data += 2; > + size -= 2; Ditto
youenn fablet
Comment 5 2021-02-08 09:04:14 PST
Created attachment 419596 [details] Patch for landing
youenn fablet
Comment 6 2021-02-08 09:04:43 PST
(In reply to Eric Carlson from comment #4) > Comment on attachment 419588 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=419588&action=review > > > Source/WebCore/Modules/mediastream/STUNMessageParsing.cpp:96 > > + bool canReadLength = size >= 2; > > + size_t length = canReadLength ? be16toh(*reinterpret_cast<const uint16_t*>(data)) : 0; > > + if (!canReadLength || length > size - 2) { > > `2` would be better as a named const initialized with sizeof > > > Source/WebCore/Modules/mediastream/STUNMessageParsing.cpp:106 > > + data += 2; > > + size -= 2; > > Ditto Done, thanks!
youenn fablet
Comment 7 2021-02-08 11:35:45 PST
<rdar://problem/73962727>
youenn fablet
Comment 8 2021-02-08 11:36:14 PST
Comment on attachment 419596 [details] Patch for landing win failure is unrelated
EWS
Comment 9 2021-02-08 11:47:34 PST
Committed r272504: <https://commits.webkit.org/r272504> All reviewed patches have been landed. Closing bug and clearing flags on attachment 419596 [details].
Note You need to log in before you can comment on or make changes to this bug.