From e9046b2bbebc0cb7f5dc42008f807f6c7e98e791 Mon Sep 17 00:00:00 2001 From: Vignesh Babu Date: Thu, 12 Sep 2024 11:13:45 -0700 Subject: [PATCH] [EventEngine] Fix bug in Tx0cp code path in posix endpoint. This fix ensures that the iov_base pointers point to the right address. PiperOrigin-RevId: 673923651 CVE: CVE-2024-11407 Upstream-Status: Backport [https://github.com/grpc/grpc/commit/e9046b2bbebc0cb7f5dc42008f807f6c7e98e791] Signed-off-by: Peter Marko --- src/core/lib/event_engine/posix_engine/posix_endpoint.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/core/lib/event_engine/posix_engine/posix_endpoint.cc b/src/core/lib/event_engine/posix_engine/posix_endpoint.cc index 7634bb1334b..c5708db02c5 100644 --- a/src/core/lib/event_engine/posix_engine/posix_endpoint.cc +++ b/src/core/lib/event_engine/posix_engine/posix_endpoint.cc @@ -240,7 +240,7 @@ msg_iovlen_type TcpZerocopySendRecord::PopulateIovs(size_t* unwind_slice_idx, iov_size++) { MutableSlice& slice = internal::SliceCast( buf_.MutableSliceAt(out_offset_.slice_idx)); - iov[iov_size].iov_base = slice.begin(); + iov[iov_size].iov_base = slice.begin() + out_offset_.byte_idx; iov[iov_size].iov_len = slice.length() - out_offset_.byte_idx; *sending_length += iov[iov_size].iov_len; ++(out_offset_.slice_idx); -- 2.30.2