#3255: malformed unix socket filename ----------------------------------+--------------------------- Reporter: kaliber | Owner: bonefish Type: bug | Status: new Priority: normal | Milestone: R1 Component: Network & Internet | Version: R1/pre-alpha1 Resolution: | Keywords: Blocked By: | Blocking: Has a Patch: 0 | Platform: All ----------------------------------+--------------------------- Comment (by akira): I found this issue while I compare various Unix domain socket implementation. https://github.com/akr/socket-test I agree that the sample code is not POSIX compliant because POSIX defines sun_path field as a pathname and pathname is NUL-terminated by definition. However, specifying a length without NUL is a traditional way to use Unix domain socket address. For example, a 4.3BSD document describes that the length doesn't contains NUL. http://www.tuhs.org/Archive/4BSD/Distributions/4.3BSD/usr.tar.gz doc/ps1/08.ipc/2.t {{{ #include <sys/un.h> ... struct sockaddr_un addr; ... strcpy(addr.sun_path, "/tmp/foo"); addr.sun_family = AF_UNIX; bind(s, (struct sockaddr *) &addr, strlen(addr.sun_path) + sizeof (addr.sun_family)); Note that in determining the size of a UNIX domain address null bytes are not counted, which is why strlen is used. }}} 4.4BSD document also has similar description. (It adds sizeof(addr.sun_len) though) http://docs.freebsd.org/44doc/psd/21.ipc/paper.pdf So Haiku is not friendly for traditional programs. Also, out-of-bounds read is not a good programming practice. CWE-125: Out-of-bounds Read http://cwe.mitre.org/data/definitions/125.html What interesting about Haiku is Out-of-bounds Read is happen on copied socket address. This means NUL just after specified length cannot prevent the problem. -- Ticket URL: <http://dev.haiku-os.org/ticket/3255#comment:6> Haiku <http://dev.haiku-os.org> Haiku - the operating system.