This repository has been archived by the owner. It is now read-only.
Permalink
Browse files

Fix a buffer overflow in custom fd handling in ChildProcess.

Previous there was an unbounded copy from a JavaScript array into a int[3] stack
array.  The copy is now bounded by the size of the stack array.

The following code would reproduce the issue:

var cp = require('child_process');
var bigish = Array(200);

for (var i = 0, il = bigish.length; i < il; ++i)
  bigish[i] = -1;

cp.spawn('/bin/echo', [ ], { customFds: bigish })
  • Loading branch information...
deanm committed Aug 20, 2011
1 parent 962a9e8 commit f028f882fc0d45e70bfd6fed1956be41411413cb
Showing with 3 additions and 1 deletion.
  1. +3 −1 src/node_child_process.cc
@@ -47,6 +47,8 @@ extern char **environ;
#include <limits.h> /* PATH_MAX */
+#define ARRAY_SIZE(a) (sizeof(a) / sizeof(*(a)))
+
namespace node {
using namespace v8;
@@ -168,7 +170,7 @@ Handle<Value> ChildProcess::Spawn(const Arguments& args) {
// Set the custom file descriptor values (if any) for the child process
Local<Array> custom_fds_handle = Local<Array>::Cast(args[4]);
int custom_fds_len = custom_fds_handle->Length();
- for (int i = 0; i < custom_fds_len; i++) {
+ for (int i = 0; i < custom_fds_len && i < ARRAY_SIZE(custom_fds); i++) {
if (custom_fds_handle->Get(i)->IsUndefined()) continue;
Local<Integer> fd = custom_fds_handle->Get(i)->ToInteger();
custom_fds[i] = fd->Value();

0 comments on commit f028f88

Please sign in to comment.