public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
From: "igorlord at alum dot mit.edu" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sources.redhat.com
Subject: [Bug libc/13500] New: __cmsg_nxthdr in cmsg_nxthdr.c (CMSG_NXTHDR) has undefined behavior when setting up ancillary data
Date: Wed, 14 Dec 2011 20:30:00 -0000 [thread overview]
Message-ID: <bug-13500-131@http.sourceware.org/bugzilla/> (raw)
http://sourceware.org/bugzilla/show_bug.cgi?id=13500
Bug #: 13500
Summary: __cmsg_nxthdr in cmsg_nxthdr.c (CMSG_NXTHDR) has
undefined behavior when setting up ancillary data
Product: glibc
Version: 2.14
Status: NEW
Severity: normal
Priority: P2
Component: libc
AssignedTo: drepper.fsp@gmail.com
ReportedBy: igorlord@alum.mit.edu
Classification: Unclassified
In the current implementation, when setting up ancillary data, __cmsg_nxthdr
will try to read data from the uninitialized area of the ancillary buffer and
may erroneously return NULL.
cmsg = (struct cmsghdr *) ((unsigned char *) cmsg
+ CMSG_ALIGN (cmsg->cmsg_len));
if ((unsigned char *) (cmsg + 1) > ((unsigned char *) mhdr->msg_control
+ mhdr->msg_controllen)
|| ((unsigned char *) cmsg + CMSG_ALIGN (cmsg->cmsg_len)
> ((unsigned char *) mhdr->msg_control + mhdr->msg_controllen)))
/* No more entries. */
return NULL;
Above is the relevant part of the current implementation.
"cmsg->cmsg_len" in the second "||" clause will read uninitialized data. That
second "||" clause is not needed at all (and the kernel version of this
function does not have it).
This implementation is ok for parsing ancillary data (it provides some extra
sanity checking of the data), but it is broken for setting up ancillary data.
A workaround is to memset the entire ancillary data buffer to 0 before
initializing it, but there is no such requirement in neither man pages nor RFC
2292 or RFC 3542.
Glibc's implementation of CMSG_NXTHDR is not consistent with the reference
implementation in RFC 2292 and RFC 3542.
P.S.
The current implementation does not support another RFC 2292/3542 requirement
requirement:
The following behavior of this macro is new to this API: if the value
of the cmsg pointer is NULL, a pointer to the cmsghdr structure
describing the first ancillary data object is returned. That is,
CMSG_NXTHDR(mhdr, NULL) is equivalent to CMSG_FIRSTHDR(mhdr).
But you'll probably want a different bug report for this.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
next reply other threads:[~2011-12-14 20:30 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-12-14 20:30 igorlord at alum dot mit.edu [this message]
2011-12-18 1:50 ` [Bug libc/13500] " drepper.fsp at gmail dot com
2012-01-03 18:11 ` igorlord at alum dot mit.edu
2012-02-21 2:28 ` [Bug network/13500] " jsm28 at gcc dot gnu.org
2012-12-01 16:46 ` aj at suse dot de
2012-12-19 10:50 ` schwab@linux-m68k.org
2014-06-27 11:31 ` fweimer at redhat dot com
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-13500-131@http.sourceware.org/bugzilla/ \
--to=sourceware-bugzilla@sourceware.org \
--cc=glibc-bugs@sources.redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).