Permalink
Browse files

Socket: Fixed a security issue when default-initialized ArraySegment …

…structs are passed in.

This is the same security issue that was recently addressed in MS.NET.
  • Loading branch information...
1 parent 949e910 commit 70640f232bd792dd412fef5e1c932aa20f90cc87 XTZGZoReX committed with migueldeicaza Jun 19, 2011
Showing with 10 additions and 0 deletions.
  1. +10 −0 mcs/class/System/System.Net.Sockets/Socket_2_1.cs
@@ -1816,6 +1816,11 @@ int Receive (IList<ArraySegment<byte>> buffers, SocketFlags socketFlags, out Soc
for(int i = 0; i < numsegments; i++) {
ArraySegment<byte> segment = buffers[i];
+
+ if (segment.Offset < 0 || segment.Count < 0 ||
+ segment.Count > segment.Array.Length - segment.Offset)
+ throw new ArgumentOutOfRangeException ("segment");
+
gch[i] = GCHandle.Alloc (segment.Array, GCHandleType.Pinned);
bufarray[i].len = segment.Count;
bufarray[i].buf = Marshal.UnsafeAddrOfPinnedArrayElement (segment.Array, segment.Offset);
@@ -1893,6 +1898,11 @@ int Send (IList<ArraySegment<byte>> buffers, SocketFlags socketFlags, out Socket
GCHandle[] gch = new GCHandle[numsegments];
for(int i = 0; i < numsegments; i++) {
ArraySegment<byte> segment = buffers[i];
+
+ if (segment.Offset < 0 || segment.Count < 0 ||
+ segment.Count > segment.Array.Length - segment.Offset)
+ throw new ArgumentOutOfRangeException ("segment");
+
gch[i] = GCHandle.Alloc (segment.Array, GCHandleType.Pinned);
bufarray[i].len = segment.Count;
bufarray[i].buf = Marshal.UnsafeAddrOfPinnedArrayElement (segment.Array, segment.Offset);

0 comments on commit 70640f2

Please sign in to comment.