From owner-cvs-src@FreeBSD.ORG Sat Jan 10 14:31:53 2004 Return-Path: Delivered-To: cvs-src@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2E9C516A4CE; Sat, 10 Jan 2004 14:31:53 -0800 (PST) Received: from gw.catspoiler.org (217-ip-163.nccn.net [209.79.217.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id C2CA943D2F; Sat, 10 Jan 2004 14:31:51 -0800 (PST) (envelope-from truckman@FreeBSD.org) Received: from FreeBSD.org (mousie.catspoiler.org [192.168.101.2]) by gw.catspoiler.org (8.12.9p2/8.12.9) with ESMTP id i0AMVg7E028954; Sat, 10 Jan 2004 14:31:46 -0800 (PST) (envelope-from truckman@FreeBSD.org) Message-Id: <200401102231.i0AMVg7E028954@gw.catspoiler.org> Date: Sat, 10 Jan 2004 14:31:42 -0800 (PST) From: Don Lewis To: nectar@FreeBSD.org In-Reply-To: <20040110152347.GD80448@madman.celabo.org> MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii cc: cvs-src@FreeBSD.org cc: src-committers@FreeBSD.org cc: cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/kern uipc_syscalls.c X-BeenThere: cvs-src@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: CVS commit messages for the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Jan 2004 22:31:53 -0000 On 10 Jan, Jacques A. Vidrine wrote: > On Sat, Jan 10, 2004 at 12:28:54AM -0800, Don Lewis wrote: >> truckman 2004/01/10 00:28:54 PST >> >> FreeBSD src repository >> >> Modified files: >> sys/kern uipc_syscalls.c >> Log: >> Add a somewhat redundant check on the len arguement to getsockaddr() to >> avoid relying on the minimum memory allocation size to avoid problems. >> The check is somewhat redundant because the consumers of the returned >> structure will check that sa_len is a protocol-specific larger size. >> >> Submitted by: Matthew Dillon >> Reviewed by: nectar >> MFC after: 30 days > > But the check *is not* redundant. The consumers cannot safely check > sa_len if the allocation were to be less than `offsetof(struct > sa_sockaddr, data[0])'--- which it never is, by chance, due to the > minimum memory allocation size, as you noted. But we shall all feel > better that this is made explicit. FWIW, I think the check should > have been for `sizeof(*sa)' technically, but what has been committed > is safe, too, I believe. The only reason it is redundant instead of manditory is because of the minimum allocation allocation happens to be large enough for getsockaddr() to write to sa_len. If it is safe for getsockaddr() to write to sa_len, then it is safe for the consumers to read sa_len. BTW, I think a better solution is for getsockaddr() to call an address family specific length checker before returning, and to remove the sa_len check from all the consumers. With the commit I did to the tcp code after this commit, sa_len is checked three times for the bind() and connect() syscalls. I wasn't feeling that ambitious, though. It looks like the AF_UNIX implementation allows the length to be shorter than sizeof(*sa). It appears that you don't have to pass in the full 104 character sun_path.