Changeset 217206 in webkit
- Timestamp:
- May 21, 2017, 11:57:08 PM (7 years ago)
- Location:
- trunk/Source/WebKit2
- Files:
-
- 2 edited
-
ChangeLog (modified) (1 diff)
-
Platform/IPC/unix/ConnectionUnix.cpp (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebKit2/ChangeLog
r217189 r217206 1 2017-05-21 Carlos Garcia Campos <cgarcia@igalia.com> 2 3 Add more input validation in Connection::readBytesFromSocket() 4 https://bugs.webkit.org/show_bug.cgi?id=171871 5 6 Reviewed by Michael Catanzaro. 7 8 Check the control message length is in the limits. Credit to Nathan Crandall for reporting this issue and 9 submitting an equivalent fix. 10 11 * Platform/IPC/unix/ConnectionUnix.cpp: 12 (IPC::readBytesFromSocket): 13 1 14 2017-05-20 Michael Catanzaro <mcatanzaro@igalia.com> 2 15 -
trunk/Source/WebKit2/Platform/IPC/unix/ConnectionUnix.cpp
r217126 r217206 273 273 for (controlMessage = CMSG_FIRSTHDR(&message); controlMessage; controlMessage = CMSG_NXTHDR(&message, controlMessage)) { 274 274 if (controlMessage->cmsg_level == SOL_SOCKET && controlMessage->cmsg_type == SCM_RIGHTS) { 275 if (controlMessage->cmsg_len < CMSG_LEN(0) || controlMessage->cmsg_len > attachmentMaxAmount) { 276 ASSERT_NOT_REACHED(); 277 break; 278 } 275 279 size_t previousFileDescriptorsSize = fileDescriptors.size(); 276 280 size_t fileDescriptorsCount = (controlMessage->cmsg_len - CMSG_LEN(0)) / sizeof(int);
Note:
See TracChangeset
for help on using the changeset viewer.