From 65ec7f4d6e8832c481f6e00e2eb007b9a60024ce Mon Sep 17 00:00:00 2001 From: Philip Withnall Date: Thu, 4 Feb 2021 14:00:53 +0000 Subject: [PATCH 09/11] =?UTF-8?q?gsocket:=20Use=20gsize=20to=20track=20nat?= =?UTF-8?q?ive=20sockaddr=E2=80=99s=20size?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Don’t use an `int`, that’s potentially too small. In practical terms, this is not a problem, since no socket address is going to be that big. By making these changes we can use `g_memdup2()` without warnings, though. Fewer warnings is good. Signed-off-by: Philip Withnall Helps: #2319 Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz] CVE: CVE-2021-27219 Signed-off-by: Neetika Singh Signed-off-by: Ranjitsinh Rathod --- gio/gsocket.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) --- a/gio/gsocket.c +++ b/gio/gsocket.c @@ -75,6 +75,7 @@ #include "gcredentialsprivate.h" #include "glibintl.h" #include "gioprivate.h" +#include "gstrfuncsprivate.h" #ifdef G_OS_WIN32 /* For Windows XP runtime compatibility, but use the system's if_nametoindex() if available */ @@ -174,7 +175,7 @@ static gboolean g_socket_datagram_ba GError **error); static GSocketAddress * -cache_recv_address (GSocket *socket, struct sockaddr *native, int native_len); +cache_recv_address (GSocket *socket, struct sockaddr *native, size_t native_len); static gssize g_socket_receive_message_with_timeout (GSocket *socket, @@ -260,7 +261,7 @@ struct _GSocketPrivate struct { GSocketAddress *addr; struct sockaddr *native; - gint native_len; + gsize native_len; guint64 last_used; } recv_addr_cache[RECV_ADDR_CACHE_SIZE]; }; @@ -5259,14 +5260,14 @@ g_socket_send_messages_with_timeout (GSo } static GSocketAddress * -cache_recv_address (GSocket *socket, struct sockaddr *native, int native_len) +cache_recv_address (GSocket *socket, struct sockaddr *native, size_t native_len) { GSocketAddress *saddr; gint i; guint64 oldest_time = G_MAXUINT64; gint oldest_index = 0; - if (native_len <= 0) + if (native_len == 0) return NULL; saddr = NULL; @@ -5274,7 +5275,7 @@ cache_recv_address (GSocket *socket, str { GSocketAddress *tmp = socket->priv->recv_addr_cache[i].addr; gpointer tmp_native = socket->priv->recv_addr_cache[i].native; - gint tmp_native_len = socket->priv->recv_addr_cache[i].native_len; + gsize tmp_native_len = socket->priv->recv_addr_cache[i].native_len; if (!tmp) continue; @@ -5304,7 +5305,7 @@ cache_recv_address (GSocket *socket, str g_free (socket->priv->recv_addr_cache[oldest_index].native); } - socket->priv->recv_addr_cache[oldest_index].native = g_memdup (native, native_len); + socket->priv->recv_addr_cache[oldest_index].native = g_memdup2 (native, native_len); socket->priv->recv_addr_cache[oldest_index].native_len = native_len; socket->priv->recv_addr_cache[oldest_index].addr = g_object_ref (saddr); socket->priv->recv_addr_cache[oldest_index].last_used = g_get_monotonic_time (); @@ -5452,6 +5453,9 @@ g_socket_receive_message_with_timeout (G /* do it */ while (1) { + /* addrlen has to be of type int because that’s how WSARecvFrom() is defined */ + G_STATIC_ASSERT (sizeof addr <= G_MAXINT); + addrlen = sizeof addr; if (address) result = WSARecvFrom (socket->priv->fd,