Fix vulnerability in enc_untrusted_recvfrom

kongoshuu · kongoshuu · commit 299f804acbb9 · 2020-07-21T17:22:45.000-07:00
Change recvfrom memcpy to check for received_buffer size to avoid
copying extra buffer.

This issue was reported by Qinkun Bao, Zhaofeng Chen, Mingshen Sun, and
Kang Li from Baidu Security.

PiperOrigin-RevId: 322476299
Change-Id: I3606ff9ec51ec7cc4312c7555c645a2fc6e09b21
diff --git a/asylo/platform/host_call/trusted/host_calls.cc b/asylo/platform/host_call/trusted/host_calls.cc
@@ -982,7 +982,7 @@ ssize_t enc_untrusted_recvfrom(int sockfd, void *buf, size_t len, int flags,
   }
 
   auto buffer_received = output.next();
-  memcpy(buf, buffer_received.data(), len);
+  memcpy(buf, buffer_received.data(), std::min(len, buffer_received.size()));
 
   // If |src_addr| is not NULL, and the underlying protocol provides the source
   // address, this source address is filled in. When |src_addr| is NULL, nothing

Original file line number	Diff line number	Diff line change
`@@ -982,7 +982,7 @@ ssize_t enc_untrusted_recvfrom(int sockfd, void *buf, size_t len, int flags,`
`982`	`982`	`}`
`983`	`983`
`984`	`984`	`auto buffer_received = output.next();`
`985`		`- memcpy(buf, buffer_received.data(), len);`
	`985`	`+ memcpy(buf, buffer_received.data(), std::min(len, buffer_received.size()));`
`986`	`986`
`987`	`987`	`// If \|src_addr\| is not NULL, and the underlying protocol provides the source`
`988`	`988`	`// address, this source address is filled in. When \|src_addr\| is NULL, nothing`