Bug 4723 - Socket bounds checks are not correct for two's complement math, vulnerable to overflow
Summary: Socket bounds checks are not correct for two's complement math, vulnerable to...
Status: NEW
Alias: None
Product: Class Libraries
Classification: Mono
Component: System ()
Version: master
Hardware: PC Windows
: --- normal
Target Milestone: Untriaged
Assignee: Gonzalo Paniagua Javier
Depends on:
Reported: 2012-04-29 18:49 UTC by James Bellinger
Modified: 2012-04-30 00:09 UTC (History)
2 users (show)

Is this bug a regression?: ---
Last known good build:

Notice (2018-05-24): bugzilla.xamarin.com is now in read-only mode.

Please join us on Visual Studio Developer Community and in the Xamarin and Mono organizations on GitHub to continue tracking issues. Bugzilla will remain available for reference in read-only mode. We will continue to work on open Bugzilla bugs, copy them to the new locations as needed for follow-up, and add the new items under Related Links.

Our sincere thanks to everyone who has contributed on this bug tracker over the years. Thanks also for your understanding as we make these adjustments and improvements for the future.

Please create a new report for Bug 4723 on GitHub or Developer Community if you have new information to add and do not yet see a matching new report.

If the latest results still closely match this report, you can use the original description:

  • Export the original title and description: GitHub Markdown or Developer Community HTML
  • Copy the title and description into the new report. Adjust them to be up-to-date if needed.
  • Add your new information.

In special cases on GitHub you might also want the comments: GitHub Markdown with public comments

Related Links:

Description James Bellinger 2012-04-29 18:49:00 UTC
The check 'offset + size > buffer.Length' ought to be 'size > buffer.Length - offset'... otherwise, I can make both of them overflow and get past the check.

In any case, I have made a Github patch which fixes this and also centralizes all bounds checking for Socket into a single function (presently it is spread out in each function and done two different ways). I will reference this bug number in the pull request.
Comment 1 Gonzalo Paniagua Javier 2012-04-30 00:09:27 UTC
Applied the pull request 281 to master. I will backport this to mono-2-10.