[PATCH 1/5] udp: SECURITY: Pass correct size argument to recvfrom
Ian Jackson
ijackson at chiark.greenend.org.uk
Sat Sep 20 00:43:16 BST 2014
Otherwise we risk overflowing the buffer. This is a critical security
problem.
Signed-off-by: Ian Jackson <ijackson at chiark.greenend.org.uk>
---
udp.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/udp.c b/udp.c
index 97b92a6..fa42ba4 100644
--- a/udp.c
+++ b/udp.c
@@ -104,8 +104,9 @@ static void udp_afterpoll(void *state, struct pollfd *fds, int nfds)
BUF_ASSERT_FREE(st->rbuf);
BUF_ALLOC(st->rbuf,"udp_afterpoll");
buffer_init(st->rbuf,calculate_max_start_pad());
- rv=recvfrom(st->fd, st->rbuf->start, st->rbuf->len, 0,
- (struct sockaddr *)&from, &fromlen);
+ rv=recvfrom(st->fd, st->rbuf->start,
+ (st->rbuf->base + st->rbuf->len) - st->rbuf->start,
+ 0, (struct sockaddr *)&from, &fromlen);
if (rv>0) {
st->rbuf->size=rv;
if (st->use_proxy) {
--
1.7.10.4
More information about the sgo-software-discuss
mailing list