From e1573dd58ea9b8ec2fe829a1fc0e57fcbecf5b71 Mon Sep 17 00:00:00 2001 From: "Evgeny Grechnikov (Diamond)" Date: Sun, 1 Feb 2009 11:26:47 +0000 Subject: [PATCH] added check of overflow in socket data buffer git-svn-id: svn://kolibrios.org@1019 a494cfbc-eb01-0410-851d-a64ba20cac60 --- kernel/trunk/network/socket.inc | 18 ++++++++++++++++-- kernel/trunk/network/tcp.inc | 26 +++++++++++++++++++------- 2 files changed, 35 insertions(+), 9 deletions(-) diff --git a/kernel/trunk/network/socket.inc b/kernel/trunk/network/socket.inc index f4dfead9cc..56127ce2b0 100644 --- a/kernel/trunk/network/socket.inc +++ b/kernel/trunk/network/socket.inc @@ -54,6 +54,7 @@ struct SOCKET .SEG_LEN dd ? ; segment length .SEG_WND dd ? ; segment window .wndsizeTimer dd ? ; window size timer + .lock dd ? ; lock mutex .rxData dd ? ; receive data buffer here ends @@ -600,15 +601,18 @@ proc socket_read stdcall or eax, eax jz .error + lea ebx, [eax + SOCKET.lock] + call wait_mutex + mov ebx, eax mov eax, [ebx + SOCKET.rxDataCount] ; get count of bytes test eax, eax - jz .error + jz .error_release dec eax mov esi, ebx ; esi is address of socket mov [ebx + SOCKET.rxDataCount], eax ; store new count - movzx ebx, byte[ebx + SOCKET.rxData] ; get the byte + movzx eax, byte[ebx + SOCKET.rxData] ; get the byte mov ecx, SOCKETBUFFSIZE - SOCKET.rxData - 1 lea edi, [esi + SOCKET.rxData] @@ -621,8 +625,13 @@ proc socket_read stdcall and ecx, 3 rep movsb + mov [ebx + SOCKET.lock], 0 + mov ebx, eax + ret + .error_release: + mov [ebx + SOCKET.lock], 0 .error: xor ebx, ebx ret @@ -645,6 +654,9 @@ proc socket_read_packet stdcall or eax, eax jz .error + lea ebx, [eax + SOCKET.lock] + call wait_mutex + mov ebx, eax mov eax, [ebx + SOCKET.rxDataCount] ; get count of bytes test eax, eax ; if count of bytes is zero.. @@ -675,6 +687,7 @@ proc socket_read_packet stdcall rep movsb ; copy remaining bytes .exit: + mov [ebx + SOCKET.lock], 0 ret ; at last, exit .error: @@ -685,6 +698,7 @@ proc socket_read_packet stdcall xor esi, esi mov [ebx + SOCKET.rxDataCount], esi ; store new count (zero) call .start_copy + mov [ebx + SOCKET.lock], 0 ret .start_copy: diff --git a/kernel/trunk/network/tcp.inc b/kernel/trunk/network/tcp.inc index c117dd1564..1ecb36c30b 100644 --- a/kernel/trunk/network/tcp.inc +++ b/kernel/trunk/network/tcp.inc @@ -921,7 +921,7 @@ proc stateTCB_ESTABLISHED stdcall, sockAddr:DWORD movzx ecx, [edx + IP_PACKET.TotalLength] xchg cl, ch sub ecx, 40 ; Discard 40 bytes of header - jnz .data ; Read data, if any + ja .data ; Read data, if any ; If we had received a fin, we need to ACK it. cmp [ebx + SOCKET.TCBState], TCB_CLOSE_WAIT @@ -929,14 +929,19 @@ proc stateTCB_ESTABLISHED stdcall, sockAddr:DWORD jmp .exit .data: + push ebx + add ebx, SOCKET.lock + call wait_mutex + pop ebx + push ecx + push [ebx + SOCKET.PID] ; get socket owner PID + mov eax, [ebx + SOCKET.rxDataCount] + add eax, ecx + cmp eax, SOCKETBUFFSIZE - SOCKETHEADERSIZE + ja .overflow - add [ebx + SOCKET.rxDataCount], ecx ; increment the count of bytes in buffer - - mov eax, [ebx + SOCKET.PID] ; get socket owner PID - push eax - - mov eax, [ebx + SOCKET.rxDataCount] ; get # of bytes already in buffer + mov [ebx + SOCKET.rxDataCount], eax ; increment the count of bytes in buffer ; point to the location to store the data lea edi, [ebx + eax + SOCKETHEADERSIZE] @@ -947,6 +952,7 @@ proc stateTCB_ESTABLISHED stdcall, sockAddr:DWORD cld rep movsb ; copy the data across + mov [ebx + SOCKET.lock], 0 ; release mutex ; flag an event to the application pop eax @@ -1001,6 +1007,12 @@ proc stateTCB_ESTABLISHED stdcall, sockAddr:DWORD .exit: ret + .overflow: + ; no place in buffer + ; so simply restore stack and exit + pop eax ecx + mov [ebx + SOCKET.lock], 0 + ret endp