From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Fri, 19 Sep 2014 22:21:22 +0000 (+0100)
Subject: udp: SECURITY: Pass correct size argument to recvfrom
X-Git-Tag: v0.3.3~4
X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ian/git?p=secnet.git;a=commitdiff_plain;h=1b4ca45e628241eb21bd6f8fbc5ba3c647454db4

udp: SECURITY: Pass correct size argument to recvfrom

Otherwise we risk overflowing the buffer.  This is a critical security
problem.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
---

diff --git a/udp.c b/udp.c
index 97b92a6..fa42ba4 100644
--- a/udp.c
+++ b/udp.c
@@ -104,8 +104,9 @@ static void udp_afterpoll(void *state, struct pollfd *fds, int nfds)
 	    BUF_ASSERT_FREE(st->rbuf);
 	    BUF_ALLOC(st->rbuf,"udp_afterpoll");
 	    buffer_init(st->rbuf,calculate_max_start_pad());
-	    rv=recvfrom(st->fd, st->rbuf->start, st->rbuf->len, 0,
-			(struct sockaddr *)&from, &fromlen);
+	    rv=recvfrom(st->fd, st->rbuf->start,
+			(st->rbuf->base + st->rbuf->len) - st->rbuf->start,
+			0, (struct sockaddr *)&from, &fromlen);
 	    if (rv>0) {
 		st->rbuf->size=rv;
 		if (st->use_proxy) {