qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] qemu-sockets: fix unix socket path copy (again)

From: Daniel P . Berrangé
Subject: Re: [PATCH] qemu-sockets: fix unix socket path copy (again)
Date: Wed, 1 Sep 2021 12:57:31 +0100
User-agent: Mutt/2.0.7 (2021-05-04) 
On Wed, Sep 01, 2021 at 11:29:58AM +0300, Michael Tokarev wrote:
> On 31.08.2021 22:47, Peter Maydell wrote:
> > On Tue, 31 Aug 2021 at 19:34, Michael Tokarev <mjt@tls.msk.ru> wrote:
> ..
> > > -    assert(salen >= sizeof(su->sun_family) + 1 &&
> > > -           salen <= sizeof(struct sockaddr_un));
> > > +    /* there's a corner case when trailing \0 does not fit into
> > > +     * sockaddr_un. Compare length with sizeof(sockaddr_storage),
> > > +     * not with sizeof(sockaddr_un), since this is what we actually
> > > +     * provide, to ensure we had no truncation and a room for
> > > +     * the trailing \0 which we add below.
> > > +     * When salen == sizeof(sun_family) it is unnamed socket,
> > > +     * and when first byte of sun_path is \0, it is abstract. */
> > > +    assert(salen >= sizeof(su->sun_family) &&
> > > +           salen <= sizeof(struct sockaddr_storage));
> > 
> > Again, why are we asserting an upper bound? We don't care here:
> > the representation in the SocketAddress structure has no length
> > limit on the path. (Conversely, we do care about the max length
> > when we convert from a SocketAddress to a sockaddr_un: we do this
> > in eg unix_connect_saddr().)
> 
> We have sizeof(sockaddr_storage) space there. If the kernel returned
> salen greather than that, this means we received only partial address
> and can't rely on it. It is like snprintf() returning more bytes than
> available in the buffer - it says how much bytes NEEDED.

The salen parameter to 'accept' / 'getsockname' etc is caller
supplied and indicates how long the buffer provided is. The
kernel updates the value on success, but the updated vaue
will never exceed the input value. According to the manpage
if salen only allows sizeof(struct sockaddr_un), then the
returned data will simply not be NUL-terminated.

I'm increasingly inclined to agree with Peter though, we should
just not try to do this assert because it isn't adding value.
We have a trust relationship with the kernel and so can assume
salen values it gives us are correct. We only need to assert
if we're validating an assumption that we're making ourselves,
that isn't otherwise guaranteed by the kernel API semantics.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
reply via email to
[Prev in Thread] Current Thread [Next in Thread]