Code Review 7009760: Possible stack corruption in Java_java_net_TwoStacksPlainSocketImpl_socketGetOption()
Chris Hegarty
chris.hegarty at oracle.com
Fri Jan 7 12:39:15 PST 2011
Alan,
In socketGetOption() function if the option is
java_net_SocketOptions_SO_BINDADDR the code allocates a SOCKET_ADDRESS,
him, structure on the stack. This structure is 8 bytes long. 'len' is
then set to sizeof(struct sockaddr_in) which is 16. If it's an IPV6
socket the len could get set to sizeof(struct SOCKADDR_IN6) which is 28
bytes. getsockname() is called with a pointer to 'him' and len set as
above. This could overwrite data on the C stack.
You want to use is SOCKETADDRESS instead since that is a union of
sockaddr, sockaddr_in and SOCKADDR_IN6 so it is properly sized.
http://cr.openjdk.java.net/~chegar/7009760/webrev.00/webrev/
-Chris.
More information about the net-dev
mailing list