~mdw
/
secnet
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
| inline |
side by side
(parent:
cad6168
)
udp: SECURITY: Pass correct size argument to recvfrom
author
Ian Jackson
<ijackson@chiark.greenend.org.uk>
Fri, 19 Sep 2014 22:21:22 +0000
(23:21 +0100)
committer
Ian Jackson
<ijackson@chiark.greenend.org.uk>
Fri, 19 Sep 2014 22:21:22 +0000
(23:21 +0100)
Otherwise we risk overflowing the buffer. This is a critical security
problem.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
udp.c
patch
|
blob
|
blame
|
history
diff --git
a/udp.c
b/udp.c
index
97b92a6
..
fa42ba4
100644
(file)
--- a/
udp.c
+++ b/
udp.c
@@
-104,8
+104,9
@@
static void udp_afterpoll(void *state, struct pollfd *fds, int nfds)
BUF_ASSERT_FREE(st->rbuf);
BUF_ALLOC(st->rbuf,"udp_afterpoll");
buffer_init(st->rbuf,calculate_max_start_pad());
- rv=recvfrom(st->fd, st->rbuf->start, st->rbuf->len, 0,
- (struct sockaddr *)&from, &fromlen);
+ rv=recvfrom(st->fd, st->rbuf->start,
+ (st->rbuf->base + st->rbuf->len) - st->rbuf->start,
+ 0, (struct sockaddr *)&from, &fromlen);
if (rv>0) {
st->rbuf->size=rv;
if (st->use_proxy) {