RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-05-31 08:58:11 +00:00
Code Issues Activity Actions

Kernel: Stop modifying peer address/port in sendto on a TCP socket

Browse source 
POSIX (rightfully so) specifies that the sendto address argument is
ignored in connection-oriented protocols.

The TCPSocket also assumed the peer address may not change post-connect
and would trigger a UAF in sockets_by_tuple() when it did.
This commit is contained in:
Idan Horowitz 2023-12-25 15:44:36 +02:00 committed by Andreas Kling
parent 8bb423daf7
commit da2f33df82
3 changed files with 87 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

6
Kernel/Net/IPv4Socket.cpp
View file

@ -204,8 +204,10 @@ ErrorOr<size_t> IPv4Socket::sendto(OpenFileDescription&, UserOrKernelBuffer cons
return set_so_error(EAFNOSUPPORT);
}
m_peer_address = IPv4Address((u8 const*)&ia.sin_addr.s_addr);
m_peer_port = ntohs(ia.sin_port);
if (type() != SOCK_STREAM) {
m_peer_address = IPv4Address((u8 const*)&ia.sin_addr.s_addr);
m_peer_port = ntohs(ia.sin_port);
}
}
if (!is_connected() && m_peer_address.is_zero())