qemu-stable
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] qemu-sockets: fix unix socket path copy (again)


From: Michael Tokarev
Subject: Re: [PATCH] qemu-sockets: fix unix socket path copy (again)
Date: Wed, 1 Sep 2021 11:29:58 +0300
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0

On 31.08.2021 22:47, Peter Maydell wrote:
On Tue, 31 Aug 2021 at 19:34, Michael Tokarev <mjt@tls.msk.ru> wrote:
..
-    assert(salen >= sizeof(su->sun_family) + 1 &&
-           salen <= sizeof(struct sockaddr_un));
+    /* there's a corner case when trailing \0 does not fit into
+     * sockaddr_un. Compare length with sizeof(sockaddr_storage),
+     * not with sizeof(sockaddr_un), since this is what we actually
+     * provide, to ensure we had no truncation and a room for
+     * the trailing \0 which we add below.
+     * When salen == sizeof(sun_family) it is unnamed socket,
+     * and when first byte of sun_path is \0, it is abstract. */
+    assert(salen >= sizeof(su->sun_family) &&
+           salen <= sizeof(struct sockaddr_storage));

Again, why are we asserting an upper bound? We don't care here:
the representation in the SocketAddress structure has no length
limit on the path. (Conversely, we do care about the max length
when we convert from a SocketAddress to a sockaddr_un: we do this
in eg unix_connect_saddr().)

We have sizeof(sockaddr_storage) space there. If the kernel returned
salen greather than that, this means we received only partial address
and can't rely on it. It is like snprintf() returning more bytes than
available in the buffer - it says how much bytes NEEDED.

/mjt



reply via email to

[Prev in Thread] Current Thread [Next in Thread]