Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 10 Jan 2004 14:31:42 -0800 (PST)
From:      Don Lewis <truckman@FreeBSD.org>
To:        nectar@FreeBSD.org
Cc:        cvs-all@FreeBSD.org
Subject:   Re: cvs commit: src/sys/kern uipc_syscalls.c
Message-ID:  <200401102231.i0AMVg7E028954@gw.catspoiler.org>
In-Reply-To: <20040110152347.GD80448@madman.celabo.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On 10 Jan, Jacques A. Vidrine wrote:
> On Sat, Jan 10, 2004 at 12:28:54AM -0800, Don Lewis wrote:
>> truckman    2004/01/10 00:28:54 PST
>> 
>>   FreeBSD src repository
>> 
>>   Modified files:
>>     sys/kern             uipc_syscalls.c 
>>   Log:
>>   Add a somewhat redundant check on the len arguement to getsockaddr() to
>>   avoid relying on the minimum memory allocation size to avoid problems.
>>   The check is somewhat redundant because the consumers of the returned
>>   structure will check that sa_len is a protocol-specific larger size.
>>   
>>   Submitted by:   Matthew Dillon <dillon@apollo.backplane.com>
>>   Reviewed by:    nectar
>>   MFC after:      30 days
> 
> But the check *is not* redundant.  The consumers cannot safely check
> sa_len if the allocation were to be less than `offsetof(struct
> sa_sockaddr, data[0])'--- which it never is, by chance, due to the
> minimum memory allocation size, as you noted.  But we shall all feel
> better that this is made explicit.  FWIW, I think the check should
> have been for `sizeof(*sa)' technically, but what has been committed
> is safe, too, I believe.

The only reason it is redundant instead of manditory is because of the
minimum allocation allocation happens to be large enough for
getsockaddr() to write to sa_len.  If it is safe for getsockaddr() to
write to sa_len, then it is safe for the consumers to read sa_len.

BTW, I think a better solution is for getsockaddr() to call an address
family specific length checker before returning, and to remove the
sa_len check from all the consumers.  With the commit I did to the tcp
code after this commit, sa_len is checked three times for the bind() and
connect() syscalls.  I wasn't feeling that ambitious, though.

It looks like the AF_UNIX implementation allows the length to be shorter
than sizeof(*sa).  It appears that you don't have to pass in the full
104 character sun_path.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200401102231.i0AMVg7E028954>