Title: [237505] releases/WebKitGTK/webkit-2.22/Source/WebKit
- Revision
- 237505
- Author
- [email protected]
- Date
- 2018-10-28 06:42:17 -0700 (Sun, 28 Oct 2018)
Log Message
Merged r236928 - Validation in Connection::readBytesFromSocket() is too aggressive
https://bugs.webkit.org/show_bug.cgi?id=190281
Reviewed by Michael Catanzaro.
Since r217206 Connection::readBytesFromSocket() validates size of
control message. However, it compares cmsg_len with attachmentMaxAmount,
while Connection::sendOutgoingMessage() computes it as
CMSG_LEN(sizeof(int) * attachmentFDBufferLength) where
attachmentFDBufferLength <= attachmentMaxAmount. This mismatch between
sender and receiver leads to possibility of assertion failure with large
number of attachments, e.g. here 62 attachments have cmsg_length == 264.
* Platform/IPC/unix/ConnectionUnix.cpp:
(IPC::readBytesFromSocket):
Modified Paths
Diff
Modified: releases/WebKitGTK/webkit-2.22/Source/WebKit/ChangeLog (237504 => 237505)
--- releases/WebKitGTK/webkit-2.22/Source/WebKit/ChangeLog 2018-10-28 13:42:11 UTC (rev 237504)
+++ releases/WebKitGTK/webkit-2.22/Source/WebKit/ChangeLog 2018-10-28 13:42:17 UTC (rev 237505)
@@ -1,3 +1,21 @@
+2018-10-08 Konstantin Tokarev <[email protected]>
+
+ Validation in Connection::readBytesFromSocket() is too aggressive
+ https://bugs.webkit.org/show_bug.cgi?id=190281
+
+ Reviewed by Michael Catanzaro.
+
+ Since r217206 Connection::readBytesFromSocket() validates size of
+ control message. However, it compares cmsg_len with attachmentMaxAmount,
+ while Connection::sendOutgoingMessage() computes it as
+ CMSG_LEN(sizeof(int) * attachmentFDBufferLength) where
+ attachmentFDBufferLength <= attachmentMaxAmount. This mismatch between
+ sender and receiver leads to possibility of assertion failure with large
+ number of attachments, e.g. here 62 attachments have cmsg_length == 264.
+
+ * Platform/IPC/unix/ConnectionUnix.cpp:
+ (IPC::readBytesFromSocket):
+
2018-10-02 Adrian Perez de Castro <[email protected]>
Unreviewed. Update OptionsWPE.cmake and NEWS for the 2.22.0 release.
Modified: releases/WebKitGTK/webkit-2.22/Source/WebKit/Platform/IPC/unix/ConnectionUnix.cpp (237504 => 237505)
--- releases/WebKitGTK/webkit-2.22/Source/WebKit/Platform/IPC/unix/ConnectionUnix.cpp 2018-10-28 13:42:11 UTC (rev 237504)
+++ releases/WebKitGTK/webkit-2.22/Source/WebKit/Platform/IPC/unix/ConnectionUnix.cpp 2018-10-28 13:42:17 UTC (rev 237505)
@@ -273,7 +273,7 @@
struct cmsghdr* controlMessage;
for (controlMessage = CMSG_FIRSTHDR(&message); controlMessage; controlMessage = CMSG_NXTHDR(&message, controlMessage)) {
if (controlMessage->cmsg_level == SOL_SOCKET && controlMessage->cmsg_type == SCM_RIGHTS) {
- if (controlMessage->cmsg_len < CMSG_LEN(0) || controlMessage->cmsg_len > attachmentMaxAmount) {
+ if (controlMessage->cmsg_len < CMSG_LEN(0) || controlMessage->cmsg_len > CMSG_LEN(sizeof(int) * attachmentMaxAmount)) {
ASSERT_NOT_REACHED();
break;
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
