Skip to site navigation (Press enter)

[webkit-changes] [236928] trunk/Source/WebKit

annulen Mon, 08 Oct 2018 12:14:25 -0700

Title: [236928] trunk/Source/WebKit

Revision: 236928
Author: [email protected]
Date: 2018-10-08 12:12:28 -0700 (Mon, 08 Oct 2018)

Log Message

Validation in Connection::readBytesFromSocket() is too aggressive
https://bugs.webkit.org/show_bug.cgi?id=190281


Reviewed by Michael Catanzaro.

Since r217206 Connection::readBytesFromSocket() validates size of
control message. However, it compares cmsg_len with attachmentMaxAmount,
while Connection::sendOutgoingMessage() computes it as
CMSG_LEN(sizeof(int) * attachmentFDBufferLength) where
attachmentFDBufferLength <= attachmentMaxAmount. This mismatch between
sender and receiver leads to possibility of assertion failure with large
number of attachments, e.g. here 62 attachments have cmsg_length == 264.

* Platform/IPC/unix/ConnectionUnix.cpp:
(IPC::readBytesFromSocket):

Modified Paths

trunk/Source/WebKit/ChangeLog
trunk/Source/WebKit/Platform/IPC/unix/ConnectionUnix.cpp

Diff

Modified: trunk/Source/WebKit/ChangeLog (236927 => 236928)


--- trunk/Source/WebKit/ChangeLog	2018-10-08 18:25:52 UTC (rev 236927)
+++ trunk/Source/WebKit/ChangeLog	2018-10-08 19:12:28 UTC (rev 236928)
@@ -1,3 +1,21 @@
+2018-10-08  Konstantin Tokarev  <[email protected]>
+
+        Validation in Connection::readBytesFromSocket() is too aggressive
+        https://bugs.webkit.org/show_bug.cgi?id=190281
+
+        Reviewed by Michael Catanzaro.
+
+        Since r217206 Connection::readBytesFromSocket() validates size of
+        control message. However, it compares cmsg_len with attachmentMaxAmount,
+        while Connection::sendOutgoingMessage() computes it as
+        CMSG_LEN(sizeof(int) * attachmentFDBufferLength) where
+        attachmentFDBufferLength <= attachmentMaxAmount. This mismatch between
+        sender and receiver leads to possibility of assertion failure with large
+        number of attachments, e.g. here 62 attachments have cmsg_length == 264.
+
+        * Platform/IPC/unix/ConnectionUnix.cpp:
+        (IPC::readBytesFromSocket):
+
 2018-10-08  Chris Dumez  <[email protected]>
 
         Have DOMWindowProperty get is frame from its associated DOMWindow

Modified: trunk/Source/WebKit/Platform/IPC/unix/ConnectionUnix.cpp (236927 => 236928)


--- trunk/Source/WebKit/Platform/IPC/unix/ConnectionUnix.cpp	2018-10-08 18:25:52 UTC (rev 236927)
+++ trunk/Source/WebKit/Platform/IPC/unix/ConnectionUnix.cpp	2018-10-08 19:12:28 UTC (rev 236928)
@@ -273,7 +273,7 @@
         struct cmsghdr* controlMessage;
         for (controlMessage = CMSG_FIRSTHDR(&message); controlMessage; controlMessage = CMSG_NXTHDR(&message, controlMessage)) {
             if (controlMessage->cmsg_level == SOL_SOCKET && controlMessage->cmsg_type == SCM_RIGHTS) {
-                if (controlMessage->cmsg_len < CMSG_LEN(0) || controlMessage->cmsg_len > attachmentMaxAmount) {
+                if (controlMessage->cmsg_len < CMSG_LEN(0) || controlMessage->cmsg_len > CMSG_LEN(sizeof(int) * attachmentMaxAmount)) {
                     ASSERT_NOT_REACHED();
                     break;
                 }

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes