Fix send_nb_ negative offset UB and send_len_ OOB read

carpentry-heartbeat[bot] · carpentry-heartbeat[bot] · commit e4c4536d5fb7 · 2026-05-26T04:51:50.000+02:00
- Add offset &lt; 0 guard to send_nb_ to prevent pointer arithmetic
  underflow on negative offset values
- Add len bounds check to send_len_ to reject negative len or len
  exceeding the string length (returns -1/error)
- Update send-len doc to state the precondition
- Add tests for send-nb with non-zero and negative offset
diff --git a/src/unix_stream.carp b/src/unix_stream.carp
@@ -73,8 +73,9 @@
     (Fn [&UnixStream &String Int] Int)
     "UnixStream_send_MINUS_len_")
 
-  (doc send-len
-    "sends a string with known length (avoids strlen). Returns bytes sent or an error.")
+  (doc send-len "sends a string with known length (avoids strlen). `len` must be
+between 0 and the string’s length; returns an error otherwise.
+Returns bytes sent or an error.")
   (defn send-len [stream msg len]
     (let [n (send-len- stream msg len)]
       (if (= n -1) (Result.Error (System.error-text)) (Result.Success n))))
diff --git a/src/unix_stream.h b/src/unix_stream.h
@@ -110,11 +110,12 @@ void UnixStream_set_MINUS_nonblocking(UnixStream* s) {
 }
 
 int UnixStream_send_MINUS_len_(UnixStream* s, String* msg, int len) {
+  if (len < 0 || len > (int)strlen(*msg)) return -1;
   return (int)send_all(s->fd, *msg, (size_t)len);
 }
 
 int UnixStream_send_MINUS_nb_(UnixStream* s, Array* data, int offset) {
-  if (offset >= data->len) return 0;
+  if (offset < 0 || offset >= data->len) return 0;
   ssize_t n = send(s->fd, (char*)data->data + offset,
                    (size_t)(data->len - offset), 0);
   if (n >= 0) return (int)n;
diff --git a/test/unix_test.carp b/test/unix_test.carp
@@ -68,6 +68,14 @@
                   (match (UnixStream.send-nb &client &payload 0)
                     (Result.Success n) (when (/= n 2) (set! ok false))
                     (Result.Error _) (set! ok false))
+                  ; send-nb with offset skips leading bytes
+                  (match (UnixStream.send-nb &client &payload 1)
+                    (Result.Success n) (when (/= n 1) (set! ok false))
+                    (Result.Error _) (set! ok false))
+                  ; send-nb with negative offset returns 0 (guard)
+                  (match (UnixStream.send-nb &client &payload -1)
+                    (Result.Success n) (when (/= n 0) (set! ok false))
+                    (Result.Error _) (set! ok false))
                   (UnixStream.close client)
                   (UnixStream.close conn)
                   (UnixListener.close listener)

Original file line number	Diff line number	Diff line change
`@@ -110,11 +110,12 @@ void UnixStream_set_MINUS_nonblocking(UnixStream* s) {`
`110`	`110`	`}`
`111`	`111`
`112`	`112`	`int UnixStream_send_MINUS_len_(UnixStream* s, String* msg, int len) {`
	`113`	`+ if (len < 0 \|\| len > (int)strlen(*msg)) return -1;`
`113`	`114`	`return (int)send_all(s->fd, *msg, (size_t)len);`
`114`	`115`	`}`
`115`	`116`
`116`	`117`	`int UnixStream_send_MINUS_nb_(UnixStream* s, Array* data, int offset) {`
`117`		`- if (offset >= data->len) return 0;`
	`118`	`+ if (offset < 0 \|\| offset >= data->len) return 0;`
`118`	`119`	`ssize_t n = send(s->fd, (char*)data->data + offset,`
`119`	`120`	`(size_t)(data->len - offset), 0);`
`120`	`121`	`if (n >= 0) return (int)n;`