Bug 4723 - Socket bounds checks are not correct for two's complement math, vulnerable to overflow
Summary: Socket bounds checks are not correct for two's complement math, vulnerable to...
Status: NEW
Alias: None
Product: Class Libraries
Classification: Mono
Component: System (show other bugs)
Version: master
Hardware: PC Windows
: --- normal
Target Milestone: Untriaged
Assignee: Gonzalo Paniagua Javier
URL:
Depends on:
Blocks:
 
Reported: 2012-04-29 18:49 UTC by James Bellinger
Modified: 2012-04-30 00:09 UTC (History)
2 users (show)

See Also:
Tags:
Is this bug a regression?: ---
Last known good build:


Attachments

Description James Bellinger 2012-04-29 18:49:00 UTC
The check 'offset + size > buffer.Length' ought to be 'size > buffer.Length - offset'... otherwise, I can make both of them overflow and get past the check.

In any case, I have made a Github patch which fixes this and also centralizes all bounds checking for Socket into a single function (presently it is spread out in each function and done two different ways). I will reference this bug number in the pull request.
Comment 1 Gonzalo Paniagua Javier 2012-04-30 00:09:27 UTC
Applied the pull request 281 to master. I will backport this to mono-2-10.

Note You need to log in before you can comment on or make changes to this bug.