udp: validate nbufs in send functions

2026-03-14 13:05:35 +02:00 · 2026-03-14 13:05:35 +02:00 · 88d6d362f6
commit 88d6d362f6
parent ec0ab5d77d
5 changed files with 86 additions and 0 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -697,6 +697,7 @@ if(LIBUV_BUILD_TESTS)
       test/test-udp-open.c
       test/test-udp-options.c
       test/test-udp-send-and-recv.c
+       test/test-udp-send-fail.c
       test/test-udp-send-hang-loop.c
       test/test-udp-send-immediate.c
       test/test-udp-sendmmsg-error.c
--- a/Makefile.am
+++ b/Makefile.am
@ -322,6 +322,7 @@ test_run_tests_SOURCES = test/blackhole-server.c \
                         test/test-udp-open.c \
                         test/test-udp-options.c \
                         test/test-udp-send-and-recv.c \
+                         test/test-udp-send-fail.c \
                         test/test-udp-send-hang-loop.c \
                         test/test-udp-send-immediate.c \
                         test/test-udp-sendmmsg-error.c \
--- a/src/uv-common.c
+++ b/src/uv-common.c
@ -492,6 +492,9 @@ int uv_udp_send(uv_udp_send_t* req,
                uv_udp_send_cb send_cb) {
  int addrlen;

+  if (nbufs < 1 || nbufs > 1024 * 1024)
+    return UV_EINVAL;
+
  addrlen = uv__udp_check_before_send(handle, addr);
  if (addrlen < 0)
    return addrlen;
@ -506,6 +509,9 @@ int uv_udp_try_send(uv_udp_t* handle,
                    const struct sockaddr* addr) {
  int addrlen;

+  if (nbufs < 1 || nbufs > 1024 * 1024)
+    return UV_EINVAL;
+
  addrlen = uv__udp_check_before_send(handle, addr);
  if (addrlen < 0)
    return addrlen;
@ -520,12 +526,18 @@ int uv_udp_try_send2(uv_udp_t* handle,
                     unsigned int nbufs[/*count*/],
                     struct sockaddr* addrs[/*count*/],
                     unsigned int flags) {
+  unsigned int i;
+
  if (count < 1)
    return UV_EINVAL;

  if (flags != 0)
    return UV_EINVAL;

+  for (i = 0; i < count; i++)
+    if (nbufs[i] < 1 || nbufs[i] > 1024 * 1024)
+      return UV_EINVAL;
+
  if (handle->send_queue_count > 0)
    return UV_EAGAIN;

--- a/test/test-list.h
+++ b/test/test-list.h
@ -201,6 +201,7 @@ TEST_DECLARE   (udp_reuseport)
 #ifndef _WIN32
 TEST_DECLARE   (udp_send_unix)
 #endif
+TEST_DECLARE   (udp_send_fail_nbufs)
 TEST_DECLARE   (udp_sendmmsg_error)
 TEST_DECLARE   (udp_try_send)
 TEST_DECLARE   (pipe_bind_error_addrinuse)
@ -829,6 +830,7 @@ TASK_LIST_START
  TEST_ENTRY  (udp_multicast_join)
  TEST_ENTRY  (udp_multicast_join6)
  TEST_ENTRY  (udp_multicast_ttl)
+  TEST_ENTRY  (udp_send_fail_nbufs)
  TEST_ENTRY  (udp_sendmmsg_error)
  TEST_ENTRY  (udp_try_send)
  TEST_ENTRY  (udp_recv_in_a_row)
--- a/test/test-udp-send-fail.c
+++ b/test/test-udp-send-fail.c
@ -0,0 +1,70 @@
+/* Copyright libuv project contributors. All rights reserved.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to
+ * deal in the Software without restriction, including without limitation the
+ * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+ * sell copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+ * IN THE SOFTWARE.
+ */
+
+#include "uv.h"
+#include "task.h"
+
+#include <string.h>
+
+
+TEST_IMPL(udp_send_fail_nbufs) {
+  struct sockaddr_in addr;
+  uv_udp_send_t req;
+  uv_udp_t client;
+  uv_buf_t buf;
+  int r;
+
+  ASSERT_OK(uv_ip4_addr("127.0.0.1", TEST_PORT, &addr));
+  ASSERT_OK(uv_udp_init(uv_default_loop(), &client));
+
+  buf = uv_buf_init("PING", 4);
+
+  /* nbufs=0 should be rejected. */
+  r = uv_udp_send(&req,
+                   &client,
+                   &buf,
+                   0,
+                   (const struct sockaddr*) &addr,
+                   NULL);
+  ASSERT_EQ(UV_EINVAL, r);
+
+  /* Negative nbufs undergoes sign conversion to a large unsigned value. */
+  r = uv_udp_send(&req,
+                   &client,
+                   &buf,
+                   -1,
+                   (const struct sockaddr*) &addr,
+                   NULL);
+  ASSERT_EQ(UV_EINVAL, r);
+
+  /* Same checks for uv_udp_try_send. */
+  r = uv_udp_try_send(&client, &buf, 0, (const struct sockaddr*) &addr);
+  ASSERT_EQ(UV_EINVAL, r);
+
+  r = uv_udp_try_send(&client, &buf, -1, (const struct sockaddr*) &addr);
+  ASSERT_EQ(UV_EINVAL, r);
+
+  uv_close((uv_handle_t*) &client, NULL);
+  uv_run(uv_default_loop(), UV_RUN_DEFAULT);
+
+  MAKE_VALGRIND_HAPPY(uv_default_loop());
+  return 0;
+}