Skip to content

Commit cf8dbb5

Browse files
krockotchromeos-ci-prod
authored andcommitted
ipcz: Fix OOB access in message validation
Fixed: 378917565 Change-Id: I6dee5e1bd8ea9a43532c88fb7db7ae7578123992 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6019209 Commit-Queue: Ken Rockot <[email protected]> Reviewed-by: Daniel Cheng <[email protected]> Cr-Commit-Position: refs/heads/main@{#1382671} CrOS-Libchrome-Original-Commit: 131ddffcec0908c0daaea0ca68b8ef23e24a2039
1 parent 568e01c commit cf8dbb5

File tree

1 file changed

+8
-1
lines changed

1 file changed

+8
-1
lines changed

third_party/ipcz/src/ipcz/message.cc

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -421,7 +421,7 @@ bool Message::ValidateParameters(
421421
case internal::ParamType::kDriverObject: {
422422
const uint32_t index = GetParamValueAt<uint32_t>(offset);
423423
if (index != internal::kInvalidDriverObjectIndex) {
424-
if (is_object_claimed[index]) {
424+
if (index >= is_object_claimed.size() || is_object_claimed[index]) {
425425
return false;
426426
}
427427
is_object_claimed[index] = true;
@@ -433,6 +433,13 @@ bool Message::ValidateParameters(
433433
const internal::DriverObjectArrayData array_data =
434434
GetParamValueAt<internal::DriverObjectArrayData>(offset);
435435
const size_t begin = array_data.first_object_index;
436+
if (begin > is_object_claimed.size()) {
437+
return false;
438+
}
439+
const size_t max_num_objects = is_object_claimed.size() - begin;
440+
if (array_data.num_objects > max_num_objects) {
441+
return false;
442+
}
436443
for (size_t i = begin; i < begin + array_data.num_objects; ++i) {
437444
if (is_object_claimed[i]) {
438445
return false;

0 commit comments

Comments
 (0)