Socket: Fixed a security issue when default-initialized ArraySegment …

…structs are passed in. This is the same security issue that was recently addressed in MS.NET.
mono · Jun 19, 2011 · 70640f2 · 70640f2
1 parent 949e910
commit 70640f2
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/mcs/class/System/System.Net.Sockets/Socket_2_1.cs b/mcs/class/System/System.Net.Sockets/Socket_2_1.cs
@@ -1816,6 +1816,11 @@ int Receive (IList<ArraySegment<byte>> buffers, SocketFlags socketFlags, out Soc
 
 			for(int i = 0; i < numsegments; i++) {
 				ArraySegment<byte> segment = buffers[i];
+
+				if (segment.Offset < 0 || segment.Count < 0 ||
+				    segment.Count > segment.Array.Length - segment.Offset)
+					throw new ArgumentOutOfRangeException ("segment");
+
 				gch[i] = GCHandle.Alloc (segment.Array, GCHandleType.Pinned);
 				bufarray[i].len = segment.Count;
 				bufarray[i].buf = Marshal.UnsafeAddrOfPinnedArrayElement (segment.Array, segment.Offset);
@@ -1893,6 +1898,11 @@ int Send (IList<ArraySegment<byte>> buffers, SocketFlags socketFlags, out Socket
 			GCHandle[] gch = new GCHandle[numsegments];
 			for(int i = 0; i < numsegments; i++) {
 				ArraySegment<byte> segment = buffers[i];
+
+				if (segment.Offset < 0 || segment.Count < 0 ||
+				    segment.Count > segment.Array.Length - segment.Offset)
+					throw new ArgumentOutOfRangeException ("segment");
+
 				gch[i] = GCHandle.Alloc (segment.Array, GCHandleType.Pinned);
 				bufarray[i].len = segment.Count;
 				bufarray[i].buf = Marshal.UnsafeAddrOfPinnedArrayElement (segment.Array, segment.Offset);