1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
|
From 65ec7f4d6e8832c481f6e00e2eb007b9a60024ce Mon Sep 17 00:00:00 2001
From: Philip Withnall <pwithnall@endlessos.org>
Date: Thu, 4 Feb 2021 14:00:53 +0000
Subject: [PATCH 09/11] =?UTF-8?q?gsocket:=20Use=20gsize=20to=20track=20nat?=
=?UTF-8?q?ive=20sockaddr=E2=80=99s=20size?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Don’t use an `int`, that’s potentially too small. In practical terms,
this is not a problem, since no socket address is going to be that big.
By making these changes we can use `g_memdup2()` without warnings,
though. Fewer warnings is good.
Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
Helps: #2319
Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
CVE: CVE-2021-27219
Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
---
gio/gsocket.c | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
--- a/gio/gsocket.c
+++ b/gio/gsocket.c
@@ -75,6 +75,7 @@
#include "gcredentialsprivate.h"
#include "glibintl.h"
#include "gioprivate.h"
+#include "gstrfuncsprivate.h"
#ifdef G_OS_WIN32
/* For Windows XP runtime compatibility, but use the system's if_nametoindex() if available */
@@ -174,7 +175,7 @@ static gboolean g_socket_datagram_ba
GError **error);
static GSocketAddress *
-cache_recv_address (GSocket *socket, struct sockaddr *native, int native_len);
+cache_recv_address (GSocket *socket, struct sockaddr *native, size_t native_len);
static gssize
g_socket_receive_message_with_timeout (GSocket *socket,
@@ -260,7 +261,7 @@ struct _GSocketPrivate
struct {
GSocketAddress *addr;
struct sockaddr *native;
- gint native_len;
+ gsize native_len;
guint64 last_used;
} recv_addr_cache[RECV_ADDR_CACHE_SIZE];
};
@@ -5259,14 +5260,14 @@ g_socket_send_messages_with_timeout (GSo
}
static GSocketAddress *
-cache_recv_address (GSocket *socket, struct sockaddr *native, int native_len)
+cache_recv_address (GSocket *socket, struct sockaddr *native, size_t native_len)
{
GSocketAddress *saddr;
gint i;
guint64 oldest_time = G_MAXUINT64;
gint oldest_index = 0;
- if (native_len <= 0)
+ if (native_len == 0)
return NULL;
saddr = NULL;
@@ -5274,7 +5275,7 @@ cache_recv_address (GSocket *socket, str
{
GSocketAddress *tmp = socket->priv->recv_addr_cache[i].addr;
gpointer tmp_native = socket->priv->recv_addr_cache[i].native;
- gint tmp_native_len = socket->priv->recv_addr_cache[i].native_len;
+ gsize tmp_native_len = socket->priv->recv_addr_cache[i].native_len;
if (!tmp)
continue;
@@ -5304,7 +5305,7 @@ cache_recv_address (GSocket *socket, str
g_free (socket->priv->recv_addr_cache[oldest_index].native);
}
- socket->priv->recv_addr_cache[oldest_index].native = g_memdup (native, native_len);
+ socket->priv->recv_addr_cache[oldest_index].native = g_memdup2 (native, native_len);
socket->priv->recv_addr_cache[oldest_index].native_len = native_len;
socket->priv->recv_addr_cache[oldest_index].addr = g_object_ref (saddr);
socket->priv->recv_addr_cache[oldest_index].last_used = g_get_monotonic_time ();
@@ -5452,6 +5453,9 @@ g_socket_receive_message_with_timeout (G
/* do it */
while (1)
{
+ /* addrlen has to be of type int because that’s how WSARecvFrom() is defined */
+ G_STATIC_ASSERT (sizeof addr <= G_MAXINT);
+
addrlen = sizeof addr;
if (address)
result = WSARecvFrom (socket->priv->fd,
|
