qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] qemu-sockets: fix unix socket path copy (again)

From: Peter Maydell
Subject: Re: [PATCH] qemu-sockets: fix unix socket path copy (again)
Date: Wed, 1 Sep 2021 10:52:21 +0100 
On Wed, 1 Sept 2021 at 09:29, Michael Tokarev <mjt@tls.msk.ru> wrote:
>
> On 31.08.2021 22:47, Peter Maydell wrote:
> > On Tue, 31 Aug 2021 at 19:34, Michael Tokarev <mjt@tls.msk.ru> wrote:
> ..
> >> -    assert(salen >= sizeof(su->sun_family) + 1 &&
> >> -           salen <= sizeof(struct sockaddr_un));
> >> +    /* there's a corner case when trailing \0 does not fit into
> >> +     * sockaddr_un. Compare length with sizeof(sockaddr_storage),
> >> +     * not with sizeof(sockaddr_un), since this is what we actually
> >> +     * provide, to ensure we had no truncation and a room for
> >> +     * the trailing \0 which we add below.
> >> +     * When salen == sizeof(sun_family) it is unnamed socket,
> >> +     * and when first byte of sun_path is \0, it is abstract. */
> >> +    assert(salen >= sizeof(su->sun_family) &&
> >> +           salen <= sizeof(struct sockaddr_storage));
> >
> > Again, why are we asserting an upper bound? We don't care here:
> > the representation in the SocketAddress structure has no length
> > limit on the path. (Conversely, we do care about the max length
> > when we convert from a SocketAddress to a sockaddr_un: we do this
> > in eg unix_connect_saddr().)
>
> We have sizeof(sockaddr_storage) space there. If the kernel returned
> salen greather than that, this means we received only partial address
> and can't rely on it. It is like snprintf() returning more bytes than
> available in the buffer - it says how much bytes NEEDED.

I think that if we need to check that we should be checking that
at the point where we make the accept() or whatever other call
filled in the sockaddr. That is the point at which the code
either (a) knows that the buffer is guaranteed big enough and
can assert that if it likes or (b) may have some reasonable way
to deal with the failure, eg allocate a bigger buffer and retry,
and (c) it is also the point where the code knows how big the actual
buffer it passed to the kernel is and so can validly determine if
it was truncated.

We don't check that the address is not truncated in any of the
other sockaddr-type-to-SocketAddress conversion functions...

-- PMM
reply via email to
[Prev in Thread] Current Thread [Next in Thread]