Code Review 7009760: Possible stack corruption in Java_java_net_TwoStacksPlainSocketImpl_socketGetOption()
Alan Bateman
Alan.Bateman at oracle.com
Fri Jan 7 12:48:57 PST 2011
Chris Hegarty wrote:
> Alan,
>
> In socketGetOption() function if the option is
> java_net_SocketOptions_SO_BINDADDR the code allocates a
> SOCKET_ADDRESS, him, structure on the stack. This structure is 8 bytes
> long. 'len' is then set to sizeof(struct sockaddr_in) which is 16. If
> it's an IPV6 socket the len could get set to sizeof(struct
> SOCKADDR_IN6) which is 28 bytes. getsockname() is called with a
> pointer to 'him' and len set as above. This could overwrite data on
> the C stack.
>
> You want to use is SOCKETADDRESS instead since that is a union of
> sockaddr, sockaddr_in and SOCKADDR_IN6 so it is properly sized.
>
> http://cr.openjdk.java.net/~chegar/7009760/webrev.00/webrev/
>
> -Chris.
Looks okay to me.
-Alan.
More information about the net-dev
mailing list