RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-23 06:47:40 +00:00
Code Issues Activity Actions

Kernel: Fix accidental memory over-read in getsockopt(IP_TTL)

Browse source 
We were accidentally casting the pointer to m_ttl from an u8* to an int*
which resulted in copying of 3 extra unrelated bytes (which turned out
to be padding in this case).
This commit is contained in:
Idan Horowitz 2021-10-27 23:17:35 +03:00 committed by Andreas Kling
parent c45b1e1983
commit 20c7fcfedf
1 changed files with 4 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

6
Kernel/Net/IPv4Socket.cpp
View file

@ -551,12 +551,14 @@ KResult IPv4Socket::getsockopt(OpenFileDescription& description, int level, int
TRY(copy_from_user(&size, value_size.unsafe_userspace_ptr())); TRY(copy_from_user(&size, value_size.unsafe_userspace_ptr()));
switch (option) { switch (option) {
case IP_TTL: case IP_TTL: {
if (size < sizeof(int)) if (size < sizeof(int))
return EINVAL; return EINVAL;
TRY(copy_to_user(static_ptr_cast<int*>(value), (int*)&m_ttl)); int ttl = m_ttl;
TRY(copy_to_user(static_ptr_cast<int*>(value), (int*)&ttl));
size = sizeof(int); size = sizeof(int);
return copy_to_user(value_size, &size); return copy_to_user(value_size, &size);
}
case IP_MULTICAST_LOOP: { case IP_MULTICAST_LOOP: {
if (size < 1) if (size < 1)
return EINVAL; return EINVAL;