diff options
author | Ben Noordhuis <info@bnoordhuis.nl> | 2013-08-09 02:33:40 +0200 |
---|---|---|
committer | Ben Noordhuis <info@bnoordhuis.nl> | 2013-08-17 17:11:02 +0200 |
commit | 0c2960ef4ab83f0eef2fc60c2575403c33ba4c6b (patch) | |
tree | 88755b7118635ecddff8511bf56d60700499910e /lib | |
parent | 5453619eb2a3bb3e5cae1c1379e3985c724e12c6 (diff) | |
download | android-node-v8-0c2960ef4ab83f0eef2fc60c2575403c33ba4c6b.tar.gz android-node-v8-0c2960ef4ab83f0eef2fc60c2575403c33ba4c6b.tar.bz2 android-node-v8-0c2960ef4ab83f0eef2fc60c2575403c33ba4c6b.zip |
dgram: fix assertion on bad send() arguments
Add range checks for the offset, length and port arguments to
dgram.Socket#send(). Fixes the following assertion:
node: ../../src/udp_wrap.cc:264: static v8::Handle<v8::Value>
node::UDPWrap::DoSend(const v8::Arguments&, int): Assertion
`offset < Buffer::Length(buffer_obj)' failed.
And:
node: ../../src/udp_wrap.cc:265: static v8::Handle<v8::Value>
node::UDPWrap::DoSend(const v8::Arguments&, int): Assertion
`length <= Buffer::Length(buffer_obj) - offset' failed.
Interestingly enough, a negative port number was accepted until now but
silently ignored. (In other words, it would send the datagram to a
random port.)
This commit exposed a bug in the simple/test-dgram-close test which
has also been fixed.
This is a back-port of commit 41ec6d0 from the master branch.
Fixes #6025.
Diffstat (limited to 'lib')
-rw-r--r-- | lib/dgram.js | 18 |
1 files changed, 16 insertions, 2 deletions
diff --git a/lib/dgram.js b/lib/dgram.js index 05997810e6..379bba9e53 100644 --- a/lib/dgram.js +++ b/lib/dgram.js @@ -244,11 +244,25 @@ Socket.prototype.send = function(buffer, if (!Buffer.isBuffer(buffer)) throw new TypeError('First argument must be a buffer object.'); + offset = offset | 0; + if (offset < 0) + throw new RangeError('Offset should be >= 0'); + if (offset >= buffer.length) - throw new Error('Offset into buffer too large'); + throw new RangeError('Offset into buffer too large'); + + // Sending a zero-length datagram is kind of pointless but it _is_ + // allowed, hence check that length >= 0 rather than > 0. + length = length | 0; + if (length < 0) + throw new RangeError('Length should be >= 0'); if (offset + length > buffer.length) - throw new Error('Offset + length beyond buffer length'); + throw new RangeError('Offset + length beyond buffer length'); + + port = port | 0; + if (port <= 0 || port > 65535) + throw new RangeError('Port should be > 0 and < 65536'); callback = callback || noop; |