[haiku-bugs] Re: [Haiku] #3255: malformed unix socket filename
- From: "akira" <trac@xxxxxxxxxxxx>
- Date: Mon, 04 Mar 2013 04:37:01 -0000
#3255: malformed unix socket filename
----------------------------------+---------------------------
Reporter: kaliber | Owner: bonefish
Type: bug | Status: new
Priority: normal | Milestone: R1
Component: Network & Internet | Version: R1/pre-alpha1
Resolution: | Keywords:
Blocked By: | Blocking:
Has a Patch: 0 | Platform: All
----------------------------------+---------------------------
Comment (by akira):
I found this issue while I compare various Unix domain socket
implementation.
https://github.com/akr/socket-test
I agree that the sample code is not POSIX compliant because
POSIX defines sun_path field as a pathname and pathname is NUL-terminated
by
definition.
However, specifying a length without NUL is a traditional way to
use Unix domain socket address.
For example, a 4.3BSD document describes that the length doesn't contains
NUL.
http://www.tuhs.org/Archive/4BSD/Distributions/4.3BSD/usr.tar.gz
doc/ps1/08.ipc/2.t
{{{
#include <sys/un.h>
...
struct sockaddr_un addr;
...
strcpy(addr.sun_path, "/tmp/foo");
addr.sun_family = AF_UNIX;
bind(s, (struct sockaddr *) &addr, strlen(addr.sun_path) +
sizeof (addr.sun_family));
Note that in determining the size of a UNIX domain address
null bytes are not counted, which is why strlen is used.
}}}
4.4BSD document also has similar description.
(It adds sizeof(addr.sun_len) though)
http://docs.freebsd.org/44doc/psd/21.ipc/paper.pdf
So Haiku is not friendly for traditional programs.
Also, out-of-bounds read is not a good programming practice.
CWE-125: Out-of-bounds Read
http://cwe.mitre.org/data/definitions/125.html
What interesting about Haiku is Out-of-bounds Read is happen on
copied socket address.
This means NUL just after specified length cannot prevent the problem.
--
Ticket URL: <http://dev.haiku-os.org/ticket/3255#comment:6>
Haiku <http://dev.haiku-os.org>
Haiku - the operating system.
Other related posts:
