X-Recipient: archive-cygwin AT delorie DOT com
X-Spam-Check-By: sourceware.org
Date: Mon, 4 Feb 2013 13:19:02 +0100
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: bind(sock, addr, addrlen) doesn't respect addrelen
Message-ID: <20130204121902.GA19792@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <CANjopZHFhNN=o4cVpiBokBmDHjzgFx8tV=ajzLeUHzu4Jpr8EQ AT mail DOT gmail DOT com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <CANjopZHFhNN=o4cVpiBokBmDHjzgFx8tV=ajzLeUHzu4Jpr8EQ@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

On Feb  4 11:03, Tanaka Akira wrote:
> Hi.
> 
> I found bind(sock, addr, addrlen) function doesn't respect addrlen.
> 
> If addr is AF_UNIX socket address and sun_path field is not
> NUL-terminated until the length specified as addrlen,
> bind() refer bytes after addrlen.
> This can be observed by created socket file name is longer
> than expected.
> 
> The test program attached below [...]

Thanks for the testcase!

I fixed bind(2) in CVS so that it makes sure never to access memory
beyond what's specified in the namelen parameter.  It also tests that
the filename is always NUL-terminated, so your example will result in an
ENAMETOOLONG now, unless you make sure there's a NUL byte within the
bounds defined by namelen, as well as within the first 108 bytes of
sun_path.  This is not quite the Linux behaviour which also allows
non-NUL terminated filenames, but SUSv4 as well as the Linux unix(7) man
page as well as the wonderful "UNIX Network Programming" book from W.
Richard Stevens imply that the pathname should be NUL-terminated, so
I'll stick to that.  The important thing here is that bind(2) won't
access undefined memory.


Thanks again,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple