Bugzilla bug 106496: PR_NewTCPSocketPair should check the source of the

connection.

1 files changed, 18 insertions, 2 deletions

diff --git a/pr/src/io/prsocket.c b/pr/src/io/prsocket.c
index 217b6fd0..86279237 100644
--- a/pr/src/io/prsocket.c
+++ b/pr/src/io/prsocket.c
@@ -1469,7 +1469,7 @@ failed:
      * default implementation
      */
     PRFileDesc *listenSock;
-    PRNetAddr selfAddr;
+    PRNetAddr selfAddr, peerAddr;
     PRUint16 port;
 
     f[0] = f[1] = NULL;
@@ -1507,10 +1507,23 @@ failed:
             == PR_FAILURE) {
         goto failed;
     }
-    f[1] = PR_Accept(listenSock, NULL, PR_INTERVAL_NO_TIMEOUT);
+    /*
+     * A malicious local process may connect to the listening
+     * socket, so we need to verify that the accepted connection
+     * is made from our own socket f[0].
+     */
+    if (PR_GetSockName(f[0], &selfAddr) == PR_FAILURE) {
+        goto failed;
+    }
+    f[1] = PR_Accept(listenSock, &peerAddr, PR_INTERVAL_NO_TIMEOUT);
     if (f[1] == NULL) {
         goto failed;
     }
+    if (peerAddr.inet.port != selfAddr.inet.port) {
+        /* the connection we accepted is not from f[0] */
+        PR_SetError(PR_INSUFFICIENT_RESOURCES_ERROR, 0);
+        goto failed;
+    }
     PR_Close(listenSock);
     return PR_SUCCESS;
 
@@ -1521,6 +1534,9 @@ failed:
     if (f[0]) {
         PR_Close(f[0]);
     }
+    if (f[1]) {
+        PR_Close(f[1]);
+    }
     return PR_FAILURE;
 #endif
 }