public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug hurd/17944] New: connect() access bytes after socket address
@ 2015-02-08 3:16 samuel.thibault@ens-lyon.org
[not found] ` <bug-17944-131-4cVpxEhiRJ@http.sourceware.org/bugzilla/>
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: samuel.thibault@ens-lyon.org @ 2015-02-08 3:16 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=17944
Bug ID: 17944
Summary: connect() access bytes after socket address
Product: glibc
Version: 2.19
Status: NEW
Severity: normal
Priority: P2
Component: hurd
Assignee: unassigned at sourceware dot org
Reporter: samuel.thibault@ens-lyon.org
CC: roland at gnu dot org, tschwinge at sourceware dot org
From Tanaka Akira:
“
Hi.
I found that connect() access bytes after socket address.
The test program below specifies a same struct sockaddr_un for
bind() and connect().
I expect connect() success but
"connect: No such file or directory" error occured.
rpctrace shows that bind() binds a socket as the socket file "AB" and
connect() try to connect for the socket file "ABCD".
This is caused by the socket address and its length.
The socket address is AF_UNIX and sun_path field is "AB"
The socket length is offsetof(struct sockaddr_un, sun_path) + 2.
However sun_path field has garbage "CD\0" just after "AB".
It seems that bind() properly uses the socket length and
connect() doesn't use that.
The problem is the socket address is not NUL terminated.
Strictly speaking, this is not POSIX confoming because
POSIX defines sun_path is pathname and pathname is terminated by NUL.
However I think this behavior is a bug of connect() because
1. bind() and connect() consistency and
2. accessing undefined bytes is a really bad idea.
% uname -srvm
GNU 0.3 GNU-Mach 1.3.99-486/Hurd-0.3 i686-AT386
% cat tst.c
#include <stddef.h>
#include <stdlib.h>
#include <stdio.h>
#include <sys/socket.h>
#include <sys/un.h>
int main(int argc, char *argv[])
{
int s, c, ret;
struct sockaddr_un addr;
socklen_t addrlen;
s = socket(AF_UNIX, SOCK_STREAM, 0);
if (s == -1) { perror("socket"); exit(EXIT_FAILURE); }
addrlen = offsetof(struct sockaddr_un, sun_path) + 2;
addr.sun_family = AF_UNIX;
addr.sun_path[0] = 'A';
addr.sun_path[1] = 'B';
addr.sun_path[2] = 'C';
addr.sun_path[3] = 'D';
addr.sun_path[4] = '\0';
ret = bind(s, (struct sockaddr *)&addr, addrlen);
if (s == -1) { perror("bind"); exit(EXIT_FAILURE); }
ret = listen(s, SOMAXCONN);
if (ret == -1) { perror("listen"); exit(EXIT_FAILURE); }
c = socket(AF_UNIX, SOCK_STREAM, 0);
if (c == -1) { perror("socket"); exit(EXIT_FAILURE); }
ret = connect(c, (struct sockaddr *)&addr, addrlen);
if (ret == -1) { perror("connect"); exit(EXIT_FAILURE); }
return EXIT_SUCCESS;
}
% gcc -Wall tst.c
% ls
a.out tst.c
% ./a.out
connect: No such file or directory
% ls
AB a.out tst.c
% rm AB
% rpctrace ./a.out |& grep AB
92<--119(pid565)->dir_link ( 136<--135(pid565) "AB" 1) = 0
92<--119(pid565)->dir_lookup ("AB" 0 0) = 0 1 "" 136<--137(pid565)
92<--119(pid565)->dir_lookup ("ABCD" 0 0) = 0x40000002 (No such
file or directory)
%
--
Tanaka Akira
”
--
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-return-27377-listarch-glibc-bugs=sources.redhat.com@sourceware.org Sun Feb 08 03:28:04 2015
Return-Path: <glibc-bugs-return-27377-listarch-glibc-bugs=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs@sources.redhat.com
Received: (qmail 29308 invoked by alias); 8 Feb 2015 03:28:03 -0000
Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs@sourceware.org>
List-Help: <mailto:glibc-bugs-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-owner@sourceware.org
Delivered-To: mailing list glibc-bugs@sourceware.org
Received: (qmail 28671 invoked by uid 48); 8 Feb 2015 03:27:58 -0000
From: "samuel.thibault@ens-lyon.org" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug hurd/17944] connect() access bytes after socket address
Date: Sun, 08 Feb 2015 03:28:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: hurd
X-Bugzilla-Version: 2.19
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: samuel.thibault@ens-lyon.org
X-Bugzilla-Status: RESOLVED
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields: bug_status resolution
Message-ID: <bug-17944-131-4cVpxEhiRJ@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-17944-131@http.sourceware.org/bugzilla/>
References: <bug-17944-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2015-02/txt/msg00112.txt.bz2
Content-length: 522
https://sourceware.org/bugzilla/show_bug.cgi?id\x17944
Samuel Thibault <samuel.thibault@ens-lyon.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #1 from Samuel Thibault <samuel.thibault@ens-lyon.org> ---
Fixed in HEAD
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [Bug hurd/17944] connect() access bytes after socket address
[not found] ` <bug-17944-131-4cVpxEhiRJ@http.sourceware.org/bugzilla/>
@ 2015-02-09 16:20 ` Joseph Myers
0 siblings, 0 replies; 4+ messages in thread
From: Joseph Myers @ 2015-02-09 16:20 UTC (permalink / raw)
To: samuel.thibault@ens-lyon.org; +Cc: glibc-bugs
When committing a patch that fixes a bug, you need to update the list of
fixed bugs in NEWS.
--
Joseph S. Myers
joseph@codesourcery.com
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug hurd/17944] connect() access bytes after socket address
2015-02-08 3:16 [Bug hurd/17944] New: connect() access bytes after socket address samuel.thibault@ens-lyon.org
[not found] ` <bug-17944-131-4cVpxEhiRJ@http.sourceware.org/bugzilla/>
@ 2015-02-09 16:21 ` joseph at codesourcery dot com
2021-02-23 10:23 ` samuel.thibault@ens-lyon.org
2 siblings, 0 replies; 4+ messages in thread
From: joseph at codesourcery dot com @ 2015-02-09 16:21 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=17944
--- Comment #2 from joseph at codesourcery dot com <joseph at codesourcery dot com> ---
When committing a patch that fixes a bug, you need to update the list of
fixed bugs in NEWS.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug hurd/17944] connect() access bytes after socket address
2015-02-08 3:16 [Bug hurd/17944] New: connect() access bytes after socket address samuel.thibault@ens-lyon.org
[not found] ` <bug-17944-131-4cVpxEhiRJ@http.sourceware.org/bugzilla/>
2015-02-09 16:21 ` joseph at codesourcery dot com
@ 2021-02-23 10:23 ` samuel.thibault@ens-lyon.org
2 siblings, 0 replies; 4+ messages in thread
From: samuel.thibault@ens-lyon.org @ 2021-02-23 10:23 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=17944
Samuel Thibault <samuel.thibault@ens-lyon.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Target Milestone|--- |2.22
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-02-23 10:23 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-02-08 3:16 [Bug hurd/17944] New: connect() access bytes after socket address samuel.thibault@ens-lyon.org
[not found] ` <bug-17944-131-4cVpxEhiRJ@http.sourceware.org/bugzilla/>
2015-02-09 16:20 ` [Bug hurd/17944] " Joseph Myers
2015-02-09 16:21 ` joseph at codesourcery dot com
2021-02-23 10:23 ` samuel.thibault@ens-lyon.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).