Bugzilla bug 106496: PR_NewTCPSocketPair should check the source of the

connection.
2024-11-30 00:01:50 +00:00 · 2002-01-23 02:41:13 +00:00 · 2002-01-23 02:41:13 +00:00 · c9c37d3fe8
commit c9c37d3fe8
parent 623d0a3bfe
1 changed files with 18 additions and 2 deletions
--- a/nsprpub/pr/src/io/prsocket.c
+++ b/nsprpub/pr/src/io/prsocket.c
@ -1469,7 +1469,7 @@ failed:
     * default implementation
     */
    PRFileDesc *listenSock;
-    PRNetAddr selfAddr;
+    PRNetAddr selfAddr, peerAddr;
    PRUint16 port;

    f[0] = f[1] = NULL;
@ -1507,10 +1507,23 @@ failed:
            == PR_FAILURE) {
        goto failed;
    }
-    f[1] = PR_Accept(listenSock, NULL, PR_INTERVAL_NO_TIMEOUT);
+    /*
+     * A malicious local process may connect to the listening
+     * socket, so we need to verify that the accepted connection
+     * is made from our own socket f[0].
+     */
+    if (PR_GetSockName(f[0], &selfAddr) == PR_FAILURE) {
+        goto failed;
+    }
+    f[1] = PR_Accept(listenSock, &peerAddr, PR_INTERVAL_NO_TIMEOUT);
    if (f[1] == NULL) {
        goto failed;
    }
+    if (peerAddr.inet.port != selfAddr.inet.port) {
+        /* the connection we accepted is not from f[0] */
+        PR_SetError(PR_INSUFFICIENT_RESOURCES_ERROR, 0);
+        goto failed;
+    }
    PR_Close(listenSock);
    return PR_SUCCESS;

@ -1521,6 +1534,9 @@ failed:
    if (f[0]) {
        PR_Close(f[0]);
    }
+    if (f[1]) {
+        PR_Close(f[1]);
+    }
    return PR_FAILURE;
 #endif
 }