Hi, attached there is a patch for glibc to check for negative indexes in _hurd_socket_server(). This should avoid that calls to socket() or socketpair() with domain < 0 read/set OOB memory (and potentially crashing, like it happens when doing such calls using perl's socketpair for example), causing also a warning "task XXX deallocating an invalid port YYY, most probably a bug" in that situation.
-- Pino Toscano
Refuse negative socket domains right away; otherwise, it is possible to read
and set out-of-bounds locations of the `servers' array (returning the values
at those invalid memory locations), and even try to deallocate ports with
random values if the `dead' parameter is different than zero.
* hurd/hurdsock.c (_hurd_socket_server): Check for negative domains.
--- a/hurd/hurdsock.c
+++ b/hurd/hurdsock.c
@@ -47,6 +47,12 @@
{
socket_t server;
+ if (domain < 0)
+ {
+ errno = EAFNOSUPPORT;
+ return MACH_PORT_NULL;
+ }
+
HURD_CRITICAL_BEGIN;
__mutex_lock (&lock);
signature.asc
Description: This is a digitally signed message part.
