luc14n0/glib
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/glib.git synced 2025-01-27 14:36:16 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'fix_g_socket_send_message' into 'master'

Browse Source 
Fix possible integer overflow of g_socket_send_message()

See merge request GNOME/glib!1873
This commit is contained in:
Sebastian Dröge 2021-01-12 15:05:27 +00:00
commit af0a555d27
1 changed files with 31 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
gio/gsocket.c
View File

@ -4754,6 +4754,11 @@ input_message_from_msghdr (const struct msghdr *msg,
* notified of a %G_IO_OUT condition. (On Windows in particular, this is * notified of a %G_IO_OUT condition. (On Windows in particular, this is
* very common due to the way the underlying APIs work.) * very common due to the way the underlying APIs work.)
* *
* Finally, it must be mentioned that the whole message buffer cannot
* exceed %G_MAXSSIZE, if the message can be more than this, then it
* is mandatory to use the g_socket_send_message_with_timeout()
* function.
*
* On error -1 is returned and @error is set accordingly. * On error -1 is returned and @error is set accordingly.
* *
* Returns: Number of bytes written (which may be less than @size), or -1 * Returns: Number of bytes written (which may be less than @size), or -1
@ -4774,6 +4779,29 @@ g_socket_send_message (GSocket *socket,
{ {
GPollableReturn res; GPollableReturn res;
gsize bytes_written = 0; gsize bytes_written = 0;
gsize vectors_size = 0;
for (gsize i = 0; i < num_vectors; i++)
{
/* No wrap-around for vectors_size */
if (vectors_size > vectors_size + vectors[i].size)
{
g_set_error (error, G_IO_ERROR, G_IO_ERROR_INVALID_ARGUMENT,
_("Unable to send message: %s"),
_("Message too large"));
return -1;
}
vectors_size += vectors[i].size;
}
/* Check if vectors buffers are too big for gssize */
if (vectors_size > G_MAXSSIZE)
{
g_set_error (error, G_IO_ERROR, G_IO_ERROR_INVALID_ARGUMENT,
_("Unable to send message: %s"),
_("Message too large"));
return -1;
}
res = g_socket_send_message_with_timeout (socket, address, res = g_socket_send_message_with_timeout (socket, address,
vectors, num_vectors, vectors, num_vectors,
@ -4782,6 +4810,8 @@ g_socket_send_message (GSocket *socket,
&bytes_written, &bytes_written,
cancellable, error); cancellable, error);
g_assert (res != G_POLLABLE_RETURN_OK || bytes_written <= G_MAXSSIZE);
if (res == G_POLLABLE_RETURN_WOULD_BLOCK) if (res == G_POLLABLE_RETURN_WOULD_BLOCK)
{ {
#ifndef G_OS_WIN32 #ifndef G_OS_WIN32
@ -4791,7 +4821,7 @@ g_socket_send_message (GSocket *socket,
#endif #endif
} }
return res == G_POLLABLE_RETURN_OK ? bytes_written : -1; return res == G_POLLABLE_RETURN_OK ? (gssize) bytes_written : -1;
} }
/** /**