Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Possible event buffer overrun #27

Closed
steverpalmer opened this issue Dec 17, 2022 · 1 comment
Closed

Possible event buffer overrun #27

steverpalmer opened this issue Dec 17, 2022 · 1 comment
Assignees
@troglobit
Labels
bug

Comments

@steverpalmer
Copy link

In functions uev_run, the variable ee is declared to be an array of struct epoll_event with size UEV_MAX_EVENTS. This buffer is used in a call to epoll_wait with its maxevent parameter set to ctx->maxevents.

It may be that the intent is that ctx->maxevents can not be bigger than UEV_MAX_EVENTS, but this is not enforced in uev_init1. Therefore, with the default UEV_MAX_EVENTS set to 10, I could use uev_init1 to set the ctx->maxevents to 20, and then the ee buffer be overrun in the call to epoll_wait.

Of course, it is unlikely that so many events will occur simultaneously, so in real-life this vulnerability is very unlikely to occur. Nevertheless, I thought you might want to be aware.
@troglobit troglobit self-assigned this Dec 17, 2022
@troglobit troglobit added the bug label Dec 17, 2022
@troglobit
Copy link
Owner

Thank you for the report!

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@troglobit troglobit

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@troglobit @steverpalmer