Permalink
Browse files

Make sure we don't corrupt the heap when serializing a unix domain so…

…cketaddr.

	* socket-io.c (create_object_from_sockaddr): The resulting array size must
	be two bytes larger than the sockaddr one since we always serialize the family
	kind at the beginning.

	This fixes a crash on MD-linux-amd64-mono-sgen-3.0 running unit tests.
  • Loading branch information...
kumpera committed Nov 28, 2012
1 parent f67b2c7 commit def386e8eb5c91d9a385fac3d3529f8e0f237f8c
Showing with 5 additions and 14 deletions.
  1. +5 −14 mono/metadata/socket-io.c
View
@@ -930,20 +930,11 @@ static MonoObject *create_object_from_sockaddr(struct sockaddr *saddr,
g_assert (domain->sockaddr_data_field);
}
- /* Make sure there is space for the family and size bytes */
-#ifdef HAVE_SYS_UN_H
- if (saddr->sa_family == AF_UNIX) {
- /* sa_len includes the entire sockaddr size, so we don't need the
- * N bytes (sizeof (unsigned short)) of the family. */
- data=mono_array_new_cached(domain, mono_get_byte_class (), sa_size);
- } else
-#endif
- {
- /* May be the +2 here is too conservative, as sa_len returns
- * the length of the entire sockaddr_in/in6, including
- * sizeof (unsigned short) of the family */
- data=mono_array_new_cached(domain, mono_get_byte_class (), sa_size+2);
- }
+ /* May be the +2 here is too conservative, as sa_len returns
+ * the length of the entire sockaddr_in/in6, including
+ * sizeof (unsigned short) of the family */
+ /* We can't really avoid the +2 as all code below depends on this size - INCLUDING unix domain sockets.*/
+ data=mono_array_new_cached(domain, mono_get_byte_class (), sa_size+2);
/* The data buffer is laid out as follows:
* bytes 0 and 1 are the address family

0 comments on commit def386e

Please sign in to comment.