Fix vulnerability in enc_untrusted_recvfrom

Change recvfrom memcpy to check for received_buffer size to avoid copying extra buffer. This issue was reported by Qinkun Bao, Zhaofeng Chen, Mingshen Sun, and Kang Li from Baidu Security. PiperOrigin-RevId: 322476299 Change-Id: I3606ff9ec51ec7cc4312c7555c645a2fc6e09b21
google · Jul 22, 2020 · 299f804 · 299f804
1 parent e582f36
commit 299f804
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/asylo/platform/host_call/trusted/host_calls.cc b/asylo/platform/host_call/trusted/host_calls.cc
@@ -982,7 +982,7 @@ ssize_t enc_untrusted_recvfrom(int sockfd, void *buf, size_t len, int flags,
   }
 
   auto buffer_received = output.next();
-  memcpy(buf, buffer_received.data(), len);
+  memcpy(buf, buffer_received.data(), std::min(len, buffer_received.size()));
 
   // If |src_addr| is not NULL, and the underlying protocol provides the source
   // address, this source address is filled in. When |src_addr| is NULL, nothing