Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Socket: Fixed a security issue when default-initialized ArraySegment …

…structs are passed in.

This is the same security issue that was recently addressed in MS.NET.
  • Loading branch information...
commit 70640f232bd792dd412fef5e1c932aa20f90cc87 1 parent 949e910
XTZGZoReX authored migueldeicaza committed

Showing 1 changed file with 10 additions and 0 deletions. Show diff stats Hide diff stats

  1. +10 0 mcs/class/System/System.Net.Sockets/Socket_2_1.cs
10 mcs/class/System/System.Net.Sockets/Socket_2_1.cs
@@ -1816,6 +1816,11 @@ int Receive (IList<ArraySegment<byte>> buffers, SocketFlags socketFlags, out Soc
1816 1816
1817 1817 for(int i = 0; i < numsegments; i++) {
1818 1818 ArraySegment<byte> segment = buffers[i];
  1819 +
  1820 + if (segment.Offset < 0 || segment.Count < 0 ||
  1821 + segment.Count > segment.Array.Length - segment.Offset)
  1822 + throw new ArgumentOutOfRangeException ("segment");
  1823 +
1819 1824 gch[i] = GCHandle.Alloc (segment.Array, GCHandleType.Pinned);
1820 1825 bufarray[i].len = segment.Count;
1821 1826 bufarray[i].buf = Marshal.UnsafeAddrOfPinnedArrayElement (segment.Array, segment.Offset);
@@ -1893,6 +1898,11 @@ int Send (IList<ArraySegment<byte>> buffers, SocketFlags socketFlags, out Socket
1893 1898 GCHandle[] gch = new GCHandle[numsegments];
1894 1899 for(int i = 0; i < numsegments; i++) {
1895 1900 ArraySegment<byte> segment = buffers[i];
  1901 +
  1902 + if (segment.Offset < 0 || segment.Count < 0 ||
  1903 + segment.Count > segment.Array.Length - segment.Offset)
  1904 + throw new ArgumentOutOfRangeException ("segment");
  1905 +
1896 1906 gch[i] = GCHandle.Alloc (segment.Array, GCHandleType.Pinned);
1897 1907 bufarray[i].len = segment.Count;
1898 1908 bufarray[i].buf = Marshal.UnsafeAddrOfPinnedArrayElement (segment.Array, segment.Offset);

0 comments on commit 70640f2

Please sign in to comment.
Something went wrong with that request. Please try again.