From d9e95d8982ee5b409b36f09c77feccbb1040095c Mon Sep 17 00:00:00 2001 From: cjihrig Date: Wed, 20 Jun 2018 17:27:09 -0400 Subject: [PATCH] net: validate fds passed to Socket constructor This commit validates the file descriptor passed to the TTY wrap's guessHandleType() function. Prior to this commit, a bad file descriptor would trigger an abort in the binding layer. PR-URL: https://github.com/nodejs/node/pull/21429 Reviewed-By: Anna Henningsen Reviewed-By: Ben Noordhuis Reviewed-By: Minwoo Jung Reviewed-By: Richard Lau Reviewed-By: Luigi Pinca Reviewed-By: Santiago Gimeno Reviewed-By: Ruben Bridgewater Reviewed-By: James M Snell Reviewed-By: Trivikram Kamat --- lib/net.js | 3 ++- test/parallel/test-net-socket-constructor.js | 8 ++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/lib/net.js b/lib/net.js index 0f80b4189718ba..2f341f53a1b41f 100644 --- a/lib/net.js +++ b/lib/net.js @@ -75,7 +75,7 @@ const { ERR_SOCKET_BAD_PORT, ERR_SOCKET_CLOSED } = errors.codes; - +const { validateInt32 } = require('internal/validators'); const kLastWriteQueueSize = Symbol('lastWriteQueueSize'); // Lazy loaded to improve startup performance. @@ -93,6 +93,7 @@ const { function noop() {} function createHandle(fd, is_server) { + validateInt32(fd, 'fd', 0); const type = TTYWrap.guessHandleType(fd); if (type === 'PIPE') { return new Pipe( diff --git a/test/parallel/test-net-socket-constructor.js b/test/parallel/test-net-socket-constructor.js index 6758e286fb1be3..ec2e99deb84880 100644 --- a/test/parallel/test-net-socket-constructor.js +++ b/test/parallel/test-net-socket-constructor.js @@ -4,6 +4,14 @@ const common = require('../common'); const assert = require('assert'); const net = require('net'); +common.expectsError(() => { + new net.Socket({ fd: -1 }); +}, { code: 'ERR_OUT_OF_RANGE' }); + +common.expectsError(() => { + new net.Socket({ fd: 'foo' }); +}, { code: 'ERR_INVALID_ARG_TYPE' }); + function test(sock, readable, writable) { let socket; if (sock instanceof net.Socket) {