From 88d6d362f649a33e88f7f7d47155acc36aed213f Mon Sep 17 00:00:00 2001
From: Oren <orenyomtov@users.noreply.github.com>
Date: Sat, 14 Mar 2026 13:05:35 +0200
Subject: [PATCH] udp: validate nbufs in send functions

---
 CMakeLists.txt            |  1 +
 Makefile.am               |  1 +
 src/uv-common.c           | 12 +++++++
 test/test-list.h          |  2 ++
 test/test-udp-send-fail.c | 70 +++++++++++++++++++++++++++++++++++++++
 5 files changed, 86 insertions(+)
 create mode 100644 test/test-udp-send-fail.c

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 9b38b5553..e493b63f5 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -697,6 +697,7 @@ if(LIBUV_BUILD_TESTS)
        test/test-udp-open.c
        test/test-udp-options.c
        test/test-udp-send-and-recv.c
+       test/test-udp-send-fail.c
        test/test-udp-send-hang-loop.c
        test/test-udp-send-immediate.c
        test/test-udp-sendmmsg-error.c
diff --git a/Makefile.am b/Makefile.am
index cc70ffe4b..87a0b0532 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -322,6 +322,7 @@ test_run_tests_SOURCES = test/blackhole-server.c \
                          test/test-udp-open.c \
                          test/test-udp-options.c \
                          test/test-udp-send-and-recv.c \
+                         test/test-udp-send-fail.c \
                          test/test-udp-send-hang-loop.c \
                          test/test-udp-send-immediate.c \
                          test/test-udp-sendmmsg-error.c \
diff --git a/src/uv-common.c b/src/uv-common.c
index f1e8928d3..c29c1b3cf 100644
--- a/src/uv-common.c
+++ b/src/uv-common.c
@@ -492,6 +492,9 @@ int uv_udp_send(uv_udp_send_t* req,
                 uv_udp_send_cb send_cb) {
   int addrlen;
 
+  if (nbufs < 1 || nbufs > 1024 * 1024)
+    return UV_EINVAL;
+
   addrlen = uv__udp_check_before_send(handle, addr);
   if (addrlen < 0)
     return addrlen;
@@ -506,6 +509,9 @@ int uv_udp_try_send(uv_udp_t* handle,
                     const struct sockaddr* addr) {
   int addrlen;
 
+  if (nbufs < 1 || nbufs > 1024 * 1024)
+    return UV_EINVAL;
+
   addrlen = uv__udp_check_before_send(handle, addr);
   if (addrlen < 0)
     return addrlen;
@@ -520,12 +526,18 @@ int uv_udp_try_send2(uv_udp_t* handle,
                      unsigned int nbufs[/*count*/],
                      struct sockaddr* addrs[/*count*/],
                      unsigned int flags) {
+  unsigned int i;
+
   if (count < 1)
     return UV_EINVAL;
 
   if (flags != 0)
     return UV_EINVAL;
 
+  for (i = 0; i < count; i++)
+    if (nbufs[i] < 1 || nbufs[i] > 1024 * 1024)
+      return UV_EINVAL;
+
   if (handle->send_queue_count > 0)
     return UV_EAGAIN;
 
diff --git a/test/test-list.h b/test/test-list.h
index 527ea013c..da4bbf7da 100644
--- a/test/test-list.h
+++ b/test/test-list.h
@@ -201,6 +201,7 @@ TEST_DECLARE   (udp_reuseport)
 #ifndef _WIN32
 TEST_DECLARE   (udp_send_unix)
 #endif
+TEST_DECLARE   (udp_send_fail_nbufs)
 TEST_DECLARE   (udp_sendmmsg_error)
 TEST_DECLARE   (udp_try_send)
 TEST_DECLARE   (pipe_bind_error_addrinuse)
@@ -829,6 +830,7 @@ TASK_LIST_START
   TEST_ENTRY  (udp_multicast_join)
   TEST_ENTRY  (udp_multicast_join6)
   TEST_ENTRY  (udp_multicast_ttl)
+  TEST_ENTRY  (udp_send_fail_nbufs)
   TEST_ENTRY  (udp_sendmmsg_error)
   TEST_ENTRY  (udp_try_send)
   TEST_ENTRY  (udp_recv_in_a_row)
diff --git a/test/test-udp-send-fail.c b/test/test-udp-send-fail.c
new file mode 100644
index 000000000..b3722e4ea
--- /dev/null
+++ b/test/test-udp-send-fail.c
@@ -0,0 +1,70 @@
+/* Copyright libuv project contributors. All rights reserved.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to
+ * deal in the Software without restriction, including without limitation the
+ * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+ * sell copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+ * IN THE SOFTWARE.
+ */
+
+#include "uv.h"
+#include "task.h"
+
+#include <string.h>
+
+
+TEST_IMPL(udp_send_fail_nbufs) {
+  struct sockaddr_in addr;
+  uv_udp_send_t req;
+  uv_udp_t client;
+  uv_buf_t buf;
+  int r;
+
+  ASSERT_OK(uv_ip4_addr("127.0.0.1", TEST_PORT, &addr));
+  ASSERT_OK(uv_udp_init(uv_default_loop(), &client));
+
+  buf = uv_buf_init("PING", 4);
+
+  /* nbufs=0 should be rejected. */
+  r = uv_udp_send(&req,
+                   &client,
+                   &buf,
+                   0,
+                   (const struct sockaddr*) &addr,
+                   NULL);
+  ASSERT_EQ(UV_EINVAL, r);
+
+  /* Negative nbufs undergoes sign conversion to a large unsigned value. */
+  r = uv_udp_send(&req,
+                   &client,
+                   &buf,
+                   -1,
+                   (const struct sockaddr*) &addr,
+                   NULL);
+  ASSERT_EQ(UV_EINVAL, r);
+
+  /* Same checks for uv_udp_try_send. */
+  r = uv_udp_try_send(&client, &buf, 0, (const struct sockaddr*) &addr);
+  ASSERT_EQ(UV_EINVAL, r);
+
+  r = uv_udp_try_send(&client, &buf, -1, (const struct sockaddr*) &addr);
+  ASSERT_EQ(UV_EINVAL, r);
+
+  uv_close((uv_handle_t*) &client, NULL);
+  uv_run(uv_default_loop(), UV_RUN_DEFAULT);
+
+  MAKE_VALGRIND_HAPPY(uv_default_loop());
+  return 0;
+}