public inbox for glibc-bugs@sourceware.org help / color / mirror / Atom feed
* [Bug libc/13500] New: __cmsg_nxthdr in cmsg_nxthdr.c (CMSG_NXTHDR) has undefined behavior when setting up ancillary data @ 2011-12-14 20:30 igorlord at alum dot mit.edu 2011-12-18 1:50 ` [Bug libc/13500] " drepper.fsp at gmail dot com ` (5 more replies) 0 siblings, 6 replies; 7+ messages in thread From: igorlord at alum dot mit.edu @ 2011-12-14 20:30 UTC (permalink / raw) To: glibc-bugs http://sourceware.org/bugzilla/show_bug.cgi?id=13500 Bug #: 13500 Summary: __cmsg_nxthdr in cmsg_nxthdr.c (CMSG_NXTHDR) has undefined behavior when setting up ancillary data Product: glibc Version: 2.14 Status: NEW Severity: normal Priority: P2 Component: libc AssignedTo: drepper.fsp@gmail.com ReportedBy: igorlord@alum.mit.edu Classification: Unclassified In the current implementation, when setting up ancillary data, __cmsg_nxthdr will try to read data from the uninitialized area of the ancillary buffer and may erroneously return NULL. cmsg = (struct cmsghdr *) ((unsigned char *) cmsg + CMSG_ALIGN (cmsg->cmsg_len)); if ((unsigned char *) (cmsg + 1) > ((unsigned char *) mhdr->msg_control + mhdr->msg_controllen) || ((unsigned char *) cmsg + CMSG_ALIGN (cmsg->cmsg_len) > ((unsigned char *) mhdr->msg_control + mhdr->msg_controllen))) /* No more entries. */ return NULL; Above is the relevant part of the current implementation. "cmsg->cmsg_len" in the second "||" clause will read uninitialized data. That second "||" clause is not needed at all (and the kernel version of this function does not have it). This implementation is ok for parsing ancillary data (it provides some extra sanity checking of the data), but it is broken for setting up ancillary data. A workaround is to memset the entire ancillary data buffer to 0 before initializing it, but there is no such requirement in neither man pages nor RFC 2292 or RFC 3542. Glibc's implementation of CMSG_NXTHDR is not consistent with the reference implementation in RFC 2292 and RFC 3542. P.S. The current implementation does not support another RFC 2292/3542 requirement requirement: The following behavior of this macro is new to this API: if the value of the cmsg pointer is NULL, a pointer to the cmsghdr structure describing the first ancillary data object is returned. That is, CMSG_NXTHDR(mhdr, NULL) is equivalent to CMSG_FIRSTHDR(mhdr). But you'll probably want a different bug report for this. -- Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug libc/13500] __cmsg_nxthdr in cmsg_nxthdr.c (CMSG_NXTHDR) has undefined behavior when setting up ancillary data 2011-12-14 20:30 [Bug libc/13500] New: __cmsg_nxthdr in cmsg_nxthdr.c (CMSG_NXTHDR) has undefined behavior when setting up ancillary data igorlord at alum dot mit.edu @ 2011-12-18 1:50 ` drepper.fsp at gmail dot com 2012-01-03 18:11 ` igorlord at alum dot mit.edu ` (4 subsequent siblings) 5 siblings, 0 replies; 7+ messages in thread From: drepper.fsp at gmail dot com @ 2011-12-18 1:50 UTC (permalink / raw) To: glibc-bugs http://sourceware.org/bugzilla/show_bug.cgi?id=13500 Ulrich Drepper <drepper.fsp at gmail dot com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |WAITING --- Comment #1 from Ulrich Drepper <drepper.fsp at gmail dot com> 2011-12-18 01:49:45 UTC --- Where is the self-contained test case? -- Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug libc/13500] __cmsg_nxthdr in cmsg_nxthdr.c (CMSG_NXTHDR) has undefined behavior when setting up ancillary data 2011-12-14 20:30 [Bug libc/13500] New: __cmsg_nxthdr in cmsg_nxthdr.c (CMSG_NXTHDR) has undefined behavior when setting up ancillary data igorlord at alum dot mit.edu 2011-12-18 1:50 ` [Bug libc/13500] " drepper.fsp at gmail dot com @ 2012-01-03 18:11 ` igorlord at alum dot mit.edu 2012-02-21 2:28 ` [Bug network/13500] " jsm28 at gcc dot gnu.org ` (3 subsequent siblings) 5 siblings, 0 replies; 7+ messages in thread From: igorlord at alum dot mit.edu @ 2012-01-03 18:11 UTC (permalink / raw) To: glibc-bugs http://sourceware.org/bugzilla/show_bug.cgi?id=13500 --- Comment #2 from Igor Lubashev <igorlord at alum dot mit.edu> 2012-01-03 18:10:45 UTC --- Created attachment 6141 --> http://sourceware.org/bugzilla/attachment.cgi?id=6141 Test that fails, unless NEED_A_WORKAROUND_FOR_BUG_13500 is defined Here is a test case. The expected output is "Looks good!". Currently, the output is "CMSG_NXTHDR is lying -- I have space for another int" -- Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug network/13500] __cmsg_nxthdr in cmsg_nxthdr.c (CMSG_NXTHDR) has undefined behavior when setting up ancillary data 2011-12-14 20:30 [Bug libc/13500] New: __cmsg_nxthdr in cmsg_nxthdr.c (CMSG_NXTHDR) has undefined behavior when setting up ancillary data igorlord at alum dot mit.edu 2011-12-18 1:50 ` [Bug libc/13500] " drepper.fsp at gmail dot com 2012-01-03 18:11 ` igorlord at alum dot mit.edu @ 2012-02-21 2:28 ` jsm28 at gcc dot gnu.org 2012-12-01 16:46 ` aj at suse dot de ` (2 subsequent siblings) 5 siblings, 0 replies; 7+ messages in thread From: jsm28 at gcc dot gnu.org @ 2012-02-21 2:28 UTC (permalink / raw) To: glibc-bugs http://sourceware.org/bugzilla/show_bug.cgi?id=13500 Joseph Myers <jsm28 at gcc dot gnu.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Component|libc |network -- Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug network/13500] __cmsg_nxthdr in cmsg_nxthdr.c (CMSG_NXTHDR) has undefined behavior when setting up ancillary data 2011-12-14 20:30 [Bug libc/13500] New: __cmsg_nxthdr in cmsg_nxthdr.c (CMSG_NXTHDR) has undefined behavior when setting up ancillary data igorlord at alum dot mit.edu ` (2 preceding siblings ...) 2012-02-21 2:28 ` [Bug network/13500] " jsm28 at gcc dot gnu.org @ 2012-12-01 16:46 ` aj at suse dot de 2012-12-19 10:50 ` schwab@linux-m68k.org 2014-06-27 11:31 ` fweimer at redhat dot com 5 siblings, 0 replies; 7+ messages in thread From: aj at suse dot de @ 2012-12-01 16:46 UTC (permalink / raw) To: glibc-bugs http://sourceware.org/bugzilla/show_bug.cgi?id=13500 Andreas Jaeger <aj at suse dot de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|WAITING |UNCONFIRMED Ever Confirmed|1 |0 --- Comment #3 from Andreas Jaeger <aj at suse dot de> 2012-12-01 16:46:33 UTC --- Test has been provided, so removing WAITING. -- Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug network/13500] __cmsg_nxthdr in cmsg_nxthdr.c (CMSG_NXTHDR) has undefined behavior when setting up ancillary data 2011-12-14 20:30 [Bug libc/13500] New: __cmsg_nxthdr in cmsg_nxthdr.c (CMSG_NXTHDR) has undefined behavior when setting up ancillary data igorlord at alum dot mit.edu ` (3 preceding siblings ...) 2012-12-01 16:46 ` aj at suse dot de @ 2012-12-19 10:50 ` schwab@linux-m68k.org 2014-06-27 11:31 ` fweimer at redhat dot com 5 siblings, 0 replies; 7+ messages in thread From: schwab@linux-m68k.org @ 2012-12-19 10:50 UTC (permalink / raw) To: glibc-bugs http://sourceware.org/bugzilla/show_bug.cgi?id=13500 Andreas Schwab <schwab@linux-m68k.org> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|drepper.fsp at gmail dot |unassigned at sourceware |com |dot org -- Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug network/13500] __cmsg_nxthdr in cmsg_nxthdr.c (CMSG_NXTHDR) has undefined behavior when setting up ancillary data 2011-12-14 20:30 [Bug libc/13500] New: __cmsg_nxthdr in cmsg_nxthdr.c (CMSG_NXTHDR) has undefined behavior when setting up ancillary data igorlord at alum dot mit.edu ` (4 preceding siblings ...) 2012-12-19 10:50 ` schwab@linux-m68k.org @ 2014-06-27 11:31 ` fweimer at redhat dot com 5 siblings, 0 replies; 7+ messages in thread From: fweimer at redhat dot com @ 2014-06-27 11:31 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=13500 Florian Weimer <fweimer at redhat dot com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fweimer at redhat dot com Flags| |security- -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2014-06-27 11:31 UTC | newest] Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2011-12-14 20:30 [Bug libc/13500] New: __cmsg_nxthdr in cmsg_nxthdr.c (CMSG_NXTHDR) has undefined behavior when setting up ancillary data igorlord at alum dot mit.edu 2011-12-18 1:50 ` [Bug libc/13500] " drepper.fsp at gmail dot com 2012-01-03 18:11 ` igorlord at alum dot mit.edu 2012-02-21 2:28 ` [Bug network/13500] " jsm28 at gcc dot gnu.org 2012-12-01 16:46 ` aj at suse dot de 2012-12-19 10:50 ` schwab@linux-m68k.org 2014-06-27 11:31 ` fweimer at redhat dot com
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).