dgram: fix out-of-bound memory read

bnoordhuis · bnoordhuis · commit defa637378ae · 2012-02-23T02:07:39.000+01:00
diff --git a/lib/dgram.js b/lib/dgram.js
@@ -165,6 +165,12 @@ Socket.prototype.send = function(buffer,
                                  callback) {
   var self = this;
 
+  if (offset >= buffer.length)
+    throw new Error('Offset into buffer too large');
+
+  if (offset + length > buffer.length)
+    throw new Error('Offset + length beyond buffer length');
+
   callback = callback || noop;
 
   self._healthCheck();
diff --git a/src/udp_wrap.cc b/src/udp_wrap.cc
@@ -286,6 +286,8 @@ Handle<Value> UDPWrap::DoSend(const Arguments& args, int family) {
 
   size_t offset = args[1]->Uint32Value();
   size_t length = args[2]->Uint32Value();
+  assert(offset < Buffer::Length(buffer_obj));
+  assert(length <= Buffer::Length(buffer_obj) - offset);
 
   SendWrap* req_wrap = new SendWrap();
   req_wrap->object_->SetHiddenValue(buffer_sym, buffer_obj);
diff --git a/test/simple/test-dgram-oob-buffer.js b/test/simple/test-dgram-oob-buffer.js
@@ -0,0 +1,52 @@
+// Copyright Joyent, Inc. and other Node contributors.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a
+// copy of this software and associated documentation files (the
+// "Software"), to deal in the Software without restriction, including
+// without limitation the rights to use, copy, modify, merge, publish,
+// distribute, sublicense, and/or sell copies of the Software, and to permit
+// persons to whom the Software is furnished to do so, subject to the
+// following conditions:
+//
+// The above copyright notice and this permission notice shall be included
+// in all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
+// NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
+// DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
+// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
+// USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+// Some operating systems report errors when an UDP message is sent to an
+// unreachable host. This error can be reported by sendto() and even by
+// recvfrom(). Node should not propagate this error to the user.
+
+var common = require('../common');
+var assert = require('assert');
+var dgram = require('dgram');
+
+var socket = dgram.createSocket('udp4');
+var buf = Buffer([1,2,3,4]);
+
+function ok() {}
+socket.send(buf, 0, 0, common.PORT, '127.0.0.1', ok); // useful? no
+socket.send(buf, 0, 4, common.PORT, '127.0.0.1', ok);
+socket.send(buf, 1, 3, common.PORT, '127.0.0.1', ok);
+socket.send(buf, 3, 1, common.PORT, '127.0.0.1', ok);
+
+assert.throws(function() {
+  socket.send(buf, 0, 5, common.PORT, '127.0.0.1', assert.fail);
+});
+assert.throws(function() {
+  socket.send(buf, 2, 3, common.PORT, '127.0.0.1', assert.fail);
+});
+assert.throws(function() {
+  socket.send(buf, 4, 0, common.PORT, '127.0.0.1', assert.fail);
+});
+assert.throws(function() {
+  socket.send(buf, 4, 4, common.PORT, '127.0.0.1', assert.fail);
+});
+
+socket.close(); // FIXME should not be necessary
