Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possible event buffer overrun #27

Closed
steverpalmer opened this issue Dec 17, 2022 · 1 comment
Closed

Possible event buffer overrun #27

steverpalmer opened this issue Dec 17, 2022 · 1 comment
Assignees
@troglobit
Labels
bug

Comments

@steverpalmer
Copy link

In functions uev_run, the variable ee is declared to be an array of struct epoll_event with size UEV_MAX_EVENTS. This buffer is used in a call to epoll_wait with its maxevent parameter set to ctx->maxevents.

It may be that the intent is that ctx->maxevents can not be bigger than UEV_MAX_EVENTS, but this is not enforced in uev_init1. Therefore, with the default UEV_MAX_EVENTS set to 10, I could use uev_init1 to set the ctx->maxevents to 20, and then the ee buffer be overrun in the call to epoll_wait.

Of course, it is unlikely that so many events will occur simultaneously, so in real-life this vulnerability is very unlikely to occur. Nevertheless, I thought you might want to be aware.
@troglobit troglobit self-assigned this Dec 17, 2022
@troglobit troglobit added the bug label Dec 17, 2022
@troglobit
Copy link
Owner

Thank you for the report!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@troglobit troglobit

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@troglobit @steverpalmer