Skip to content

fix out-of-bounds write when buflen == 0 in getAddressStr#2627

Closed
metsw24-max wants to merge 1 commit into
facebook:mainfrom
metsw24-max:socketaddress-zero-length-buffer
Closed

fix out-of-bounds write when buflen == 0 in getAddressStr#2627
metsw24-max wants to merge 1 commit into
facebook:mainfrom
metsw24-max:socketaddress-zero-length-buffer

Conversation

@metsw24-max

Copy link
Copy Markdown
Contributor

Fix a potential out-of-bounds write in SocketAddress::getAddressStr(char*, size_t) when buflen == 0

The current implementation computes:

size_t len = std::min(buflen - 1, ret.size());

When buflen == 0, this causes an unsigned underflow (buflen - 1 → SIZE_MAX), resulting in:

-len becoming ret.size()
-memcpy writing data into a buffer with declared size 0
-an additional out-of-bounds write from buf[len] = '\0'

@meta-cla

meta-cla Bot commented Apr 3, 2026

Copy link
Copy Markdown

Hi @metsw24-max!

Thank you for your pull request and welcome to our community.

Action Required

In order to merge any pull request (code, docs, etc.), we require contributors to sign our Contributor License Agreement, and we don't seem to have one on file for you.

Process

In order for us to review and merge your suggested changes, please sign at https://code.facebook.com/cla. If you are contributing on behalf of someone else (eg your employer), the individual CLA may not be sufficient and your employer may need to sign the corporate CLA.

Once the CLA is signed, our tooling will perform checks and validations. Afterwards, the pull request will be tagged with CLA signed. The tagging process may take up to 1 hour after signing. Please give it that time before contacting us about it.

If you have received this in error or have any questions, please contact us at cla@meta.com. Thanks!

@meta-cla

meta-cla Bot commented Apr 3, 2026

Copy link
Copy Markdown

Thank you for signing our Contributor License Agreement. We can now accept your code for this (and any) Meta Open Source project. Thanks!

@meta-cla meta-cla Bot added the CLA Signed label Apr 3, 2026
@meta-codesync

meta-codesync Bot commented Apr 14, 2026

Copy link
Copy Markdown

@yfeldblum has imported this pull request. If you are a Meta employee, you can view this in D100738091.

@meta-codesync

meta-codesync Bot commented Apr 15, 2026

Copy link
Copy Markdown

@yfeldblum merged this pull request in 5af4bb5.

bolunfeng pushed a commit to bolunfeng/folly that referenced this pull request May 22, 2026
…#2627)

Summary:
Fix a potential out-of-bounds write in `SocketAddress::getAddressStr(char*, size_t)` when `buflen == 0`

The current implementation computes:

```cpp
size_t len = std::min(buflen - 1, ret.size());
```

When buflen == 0, this causes an unsigned underflow (buflen - 1 → SIZE_MAX), resulting in:

-len becoming ret.size()
-memcpy writing data into a buffer with declared size 0
-an additional out-of-bounds write from buf[len] = '\0'

Pull Request resolved: facebook#2627

Reviewed By: dmm-fb

Differential Revision: D100738091

Pulled By: yfeldblum

fbshipit-source-id: 37225f329a340ec4e1964345b6e633bd1a5ff4bb
meta-codesync Bot pushed a commit to facebook/hhvm that referenced this pull request Jun 1, 2026
Summary:
Fix a potential out-of-bounds write in `SocketAddress::getAddressStr(char*, size_t)` when `buflen == 0`

The current implementation computes:

```cpp
size_t len = std::min(buflen - 1, ret.size());
```

When buflen == 0, this causes an unsigned underflow (buflen - 1 → SIZE_MAX), resulting in:

-len becoming ret.size()
-memcpy writing data into a buffer with declared size 0
-an additional out-of-bounds write from buf[len] = '\0'

X-link: facebook/folly#2627

Reviewed By: dmm-fb

Differential Revision: D100738091

Pulled By: yfeldblum

fbshipit-source-id: 37225f329a340ec4e1964345b6e633bd1a5ff4bb
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

1 participant