projects / platform / framework / web / download-provider.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 401b22b)
Limit g_dp_sock size for buffer overflow 79/209579/2 accepted/tizen/unified/20190710.103439 submit/tizen/20190709.045603
authorSeonah Moon <seonah1.moon@samsung.com>
Tue, 9 Jul 2019 04:34:02 +0000 (13:34 +0900)
committerSeonah Moon <seonah1.moon@samsung.com>
Tue, 9 Jul 2019 04:42:01 +0000 (13:42 +0900)
[WID-3498058] Buffer 'rset.__fds_bits' of size 32
accessed at dp_client_manager() can overflow,
since its index 'g_dp_sock / 32' can have value 50331680
that is out of range, as indicated by preceding conditional expression.

Change-Id: I6c9c51903faa1df6c207670ab4b63b01038bcb70

packaging/download-provider.spec patch | blob | history
provider/download-provider-client-manager.c patch | blob | history

diff --git a/packaging/download-provider.spec b/packaging/download-provider.spec
index 4620923..bd3734e 100755 (executable)
--- a/packaging/download-provider.spec
+++ b/packaging/download-provider.spec
@@ -1,6 +1,6 @@
 Name:       download-provider
 Summary:    Download the contents in background
-Version:    2.1.114
+Version:    2.1.115
 Release:    0
 Group:      Development/Libraries
 License:    Apache-2.0
diff --git a/provider/download-provider-client-manager.c b/provider/download-provider-client-manager.c
index bbdb82b..3db6982 100755 (executable)
--- a/provider/download-provider-client-manager.c
+++ b/provider/download-provider-client-manager.c
@@ -107,7 +107,7 @@ static int __dp_accept_socket_new()
        int fd_base, listen_fds = sd_listen_fds(1);
        TRACE_DEBUG("sd_listen_fds:%d", listen_fds);
 
-       if (listen_fds > INT_MAX) {
+       if (listen_fds > FD_SETSIZE - 3) {
                TRACE_DEBUG("sd_listen_fds:%d", listen_fds);
                return -1;
        }
Domain: Network & Connectivity / Data Network; Licenses: Apache-2.0;