diff options
| author | Anna Henningsen <anna@addaleax.net> | 2018-03-29 22:21:17 +0200 |
|---|---|---|
| committer | Myles Borins <mylesborins@google.com> | 2018-06-12 20:46:15 -0400 |
| commit | 3217e8e66fa81e787b9f3b18c0c09235f050acee (patch) | |
| tree | 412b9aeb694056e67dd43078bf3bcd34b0c47e34 /src/stream_base.cc | |
| parent | 785e5ba48cb57a05c9c0966a502d34ac03084561 (diff) | |
| download | android-node-v8-3217e8e66fa81e787b9f3b18c0c09235f050acee.tar.gz android-node-v8-3217e8e66fa81e787b9f3b18c0c09235f050acee.tar.bz2 android-node-v8-3217e8e66fa81e787b9f3b18c0c09235f050acee.zip | |
src: re-add `Realloc()` shrink after reading stream data
This would otherwise keep a lot of unused memory lying around,
and in particular add up to a page per chunk of memory overhead
for network reads, potentially opening a DoS vector if the resulting
`Buffer` objects are kept around indefinitely (e.g. stored in a list
and not concatenated until the socket finishes).
This fixes CVE-2018-7164.
Refs: https://github.com/nodejs-private/security/issues/186
Refs: https://github.com/nodejs/node/commit/7c4b09b24bbe7d6a8cbad256f47b30a101a909ea
PR-URL: https://github.com/nodejs-private/node-private/pull/128
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Evan Lucas <evanlucas@me.com>
Diffstat (limited to 'src/stream_base.cc')
| -rw-r--r-- | src/stream_base.cc | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/stream_base.cc b/src/stream_base.cc index bbb95bf861..bb46ea1feb 100644 --- a/src/stream_base.cc +++ b/src/stream_base.cc @@ -374,8 +374,9 @@ void EmitToJSStreamListener::OnStreamRead(ssize_t nread, const uv_buf_t& buf) { } CHECK_LE(static_cast<size_t>(nread), buf.len); + char* base = Realloc(buf.base, nread); - Local<Object> obj = Buffer::New(env, buf.base, nread).ToLocalChecked(); + Local<Object> obj = Buffer::New(env, base, nread).ToLocalChecked(); stream->CallJSOnreadMethod(nread, obj); } |