diff options
author | Ulrich Drepper <drepper@redhat.com> | 2005-03-06 21:25:22 +0000 |
---|---|---|
committer | Ulrich Drepper <drepper@redhat.com> | 2005-03-06 21:25:22 +0000 |
commit | 84c33ccbbe045d3b074d63504b4d5fad4dc253e6 (patch) | |
tree | 3fb35293bf8aa59953b42182606de71fd65cd4f3 | |
parent | 5dc2883e54cd2ceec387d6fb3b889f86b9831a87 (diff) | |
download | glibc-84c33ccbbe045d3b074d63504b4d5fad4dc253e6.tar.gz glibc-84c33ccbbe045d3b074d63504b4d5fad4dc253e6.tar.xz glibc-84c33ccbbe045d3b074d63504b4d5fad4dc253e6.zip |
* debug/recv_chk.c (__recv_chk): Always fail if request could
overflow the buffer. * debug/recvfrom_chk.c (__recvfrom_chk): Likewise.
-rw-r--r-- | ChangeLog | 3 | ||||
-rw-r--r-- | debug/recv_chk.c | 9 | ||||
-rw-r--r-- | debug/recvfrom_chk.c | 10 |
3 files changed, 9 insertions, 13 deletions
diff --git a/ChangeLog b/ChangeLog index f94c6437ea..549277146e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,8 @@ 2005-03-06 Ulrich Drepper <drepper@redhat.com> + * debug/recv_chk.c (__recv_chk): Always fail if request could + overflow the buffer. + * debug/recvfrom_chk.c (__recvfrom_chk): Likewise. * socket/bits/socket2.h (recv): Avoid calls to the _chk variant if we know the call succeeds. (recvfrom): Likewise. diff --git a/debug/recv_chk.c b/debug/recv_chk.c index 7a49d17234..479ebdfe72 100644 --- a/debug/recv_chk.c +++ b/debug/recv_chk.c @@ -23,11 +23,8 @@ ssize_t __recv_chk (int fd, void *buf, size_t n, size_t buflen, int flags) { - /* In case N is greater than BUFLEN, we read BUFLEN+1 bytes. - This might overflow the buffer but the damage is reduced to just - one byte. And the program will terminate right away. */ - ssize_t nrecv = __recv (fd, buf, MIN (n, buflen + 1), flags); - if (nrecv > 0 && (size_t) nrecv > buflen) + if (n > buflen) __chk_fail (); - return nrecv; + + return __recv (fd, buf, n, flags); } diff --git a/debug/recvfrom_chk.c b/debug/recvfrom_chk.c index e1b1da7f6b..9790a15deb 100644 --- a/debug/recvfrom_chk.c +++ b/debug/recvfrom_chk.c @@ -24,12 +24,8 @@ ssize_t __recvfrom_chk (int fd, void *buf, size_t n, size_t buflen, int flags, __SOCKADDR_ARG addr, socklen_t *addr_len) { - /* In case N is greater than BUFLEN, we read BUFLEN+1 bytes. - This might overflow the buffer but the damage is reduced to just - one byte. And the program will terminate right away. */ - ssize_t nrecv = __recvfrom (fd, buf, MIN (n, buflen + 1), flags, - addr, addr_len); - if (nrecv > 0 && (size_t) nrecv > buflen) + if (n > buflen) __chk_fail (); - return nrecv; + + return __recvfrom (fd, buf, n, flags, addr, addr_len); } |