From 4d9ada68b5e2c99d82495a816d35180e4a92b7e3 Mon Sep 17 00:00:00 2001 From: Rodrigo Kumpera Date: Wed, 28 Nov 2012 17:04:27 -0500 Subject: [PATCH] Make sure we don't corrupt the heap when serializing a unix domain socketaddr. * socket-io.c (create_object_from_sockaddr): The resulting array size must be two bytes larger than the sockaddr one since we always serialize the family kind at the beginning. This fixes a crash on MD-linux-amd64-mono-sgen-3.0 running unit tests. --- mono/metadata/socket-io.c | 19 +++++-------------- 1 file changed, 5 insertions(+), 14 deletions(-) diff --git a/mono/metadata/socket-io.c b/mono/metadata/socket-io.c index 09d0a3e27eb..200f79d379f 100644 --- a/mono/metadata/socket-io.c +++ b/mono/metadata/socket-io.c @@ -922,20 +922,11 @@ static MonoObject *create_object_from_sockaddr(struct sockaddr *saddr, g_assert (domain->sockaddr_data_field); } - /* Make sure there is space for the family and size bytes */ -#ifdef HAVE_SYS_UN_H - if (saddr->sa_family == AF_UNIX) { - /* sa_len includes the entire sockaddr size, so we don't need the - * N bytes (sizeof (unsigned short)) of the family. */ - data=mono_array_new_cached(domain, mono_get_byte_class (), sa_size); - } else -#endif - { - /* May be the +2 here is too conservative, as sa_len returns - * the length of the entire sockaddr_in/in6, including - * sizeof (unsigned short) of the family */ - data=mono_array_new_cached(domain, mono_get_byte_class (), sa_size+2); - } + /* May be the +2 here is too conservative, as sa_len returns + * the length of the entire sockaddr_in/in6, including + * sizeof (unsigned short) of the family */ + /* We can't really avoid the +2 as all code below depends on this size - INCLUDING unix domain sockets.*/ + data=mono_array_new_cached(domain, mono_get_byte_class (), sa_size+2); /* The data buffer is laid out as follows: * bytes 0 and 1 are the address family -- 2.11.4.GIT