From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 26960 invoked by alias); 14 Dec 2011 20:30:40 -0000 Received: (qmail 26951 invoked by uid 22791); 14 Dec 2011 20:30:39 -0000 X-SWARE-Spam-Status: No, hits=-2.6 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00,SUBJ_OBFU_PUNCT_MANY X-Spam-Check-By: sourceware.org Received: from localhost (HELO sourceware.org) (127.0.0.1) by sourceware.org (qpsmtpd/0.43rc1) with ESMTP; Wed, 14 Dec 2011 20:30:25 +0000 From: "igorlord at alum dot mit.edu" To: glibc-bugs@sources.redhat.com Subject: [Bug libc/13500] New: __cmsg_nxthdr in cmsg_nxthdr.c (CMSG_NXTHDR) has undefined behavior when setting up ancillary data Date: Wed, 14 Dec 2011 20:30:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: libc X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: igorlord at alum dot mit.edu X-Bugzilla-Status: NEW X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: drepper.fsp at gmail dot com X-Bugzilla-Target-Milestone: --- X-Bugzilla-Changed-Fields: Message-ID: X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated Content-Type: text/plain; charset="UTF-8" MIME-Version: 1.0 Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: glibc-bugs-owner@sourceware.org X-SW-Source: 2011-12/txt/msg00018.txt.bz2 http://sourceware.org/bugzilla/show_bug.cgi?id=13500 Bug #: 13500 Summary: __cmsg_nxthdr in cmsg_nxthdr.c (CMSG_NXTHDR) has undefined behavior when setting up ancillary data Product: glibc Version: 2.14 Status: NEW Severity: normal Priority: P2 Component: libc AssignedTo: drepper.fsp@gmail.com ReportedBy: igorlord@alum.mit.edu Classification: Unclassified In the current implementation, when setting up ancillary data, __cmsg_nxthdr will try to read data from the uninitialized area of the ancillary buffer and may erroneously return NULL. cmsg = (struct cmsghdr *) ((unsigned char *) cmsg + CMSG_ALIGN (cmsg->cmsg_len)); if ((unsigned char *) (cmsg + 1) > ((unsigned char *) mhdr->msg_control + mhdr->msg_controllen) || ((unsigned char *) cmsg + CMSG_ALIGN (cmsg->cmsg_len) > ((unsigned char *) mhdr->msg_control + mhdr->msg_controllen))) /* No more entries. */ return NULL; Above is the relevant part of the current implementation. "cmsg->cmsg_len" in the second "||" clause will read uninitialized data. That second "||" clause is not needed at all (and the kernel version of this function does not have it). This implementation is ok for parsing ancillary data (it provides some extra sanity checking of the data), but it is broken for setting up ancillary data. A workaround is to memset the entire ancillary data buffer to 0 before initializing it, but there is no such requirement in neither man pages nor RFC 2292 or RFC 3542. Glibc's implementation of CMSG_NXTHDR is not consistent with the reference implementation in RFC 2292 and RFC 3542. P.S. The current implementation does not support another RFC 2292/3542 requirement requirement: The following behavior of this macro is new to this API: if the value of the cmsg pointer is NULL, a pointer to the cmsghdr structure describing the first ancillary data object is returned. That is, CMSG_NXTHDR(mhdr, NULL) is equivalent to CMSG_FIRSTHDR(mhdr). But you'll probably want a different bug report for this. -- Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.