[PATCH] unix domain sockets bugfix

[PATCH] unix domain sockets bugfix

[Balazs Scheidler]

Hi,

I've found a bug with unix domain sockets in both kernels 2.2 and 2.4.
If the program issues a recvfrom() on a SOCK_DGRAM socket, and the sender
had no name, the sockaddr returned is not filled in.

The returned socklen is 2, but the sockaddr.family is not touched. A fix is
below:

--- af_unix.c~	Mon Feb 25 20:38:16 2002
+++ af_unix.c	Fri Oct  4 09:46:26 2002
@@ -1392,6 +1392,9 @@
 		       sk->protinfo.af_unix.addr->name,
 		       sk->protinfo.af_unix.addr->len);
 	}
+	else {
+		((struct sockaddr *) msg->msg_name)->sa_family = AF_UNIX;
+	}
 }
 
 static int unix_dgram_recvmsg(struct socket *sock, struct msghdr *msg, int size,


-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1

Re: [PATCH] unix domain sockets bugfix

[David S. Miller]

   From: Balazs Scheidler <bazsi@balabit.hu>
   Date: Mon, 7 Oct 2002 09:35:32 +0200
   
   The returned socklen is 2, but the sockaddr.family is not touched. A fix is
   below:

Since msg->msg_namelen is zero, msg->msg_name should not be
interpreted in any way at all.

Re: [PATCH] unix domain sockets bugfix

[David S. Miller]

   From: Balazs Scheidler <bazsi@balabit.hu>
   Date: Mon, 7 Oct 2002 10:01:01 +0200
   
   This is 2.4.18
   
Look at current 2.4.20-preX sources, it is set to zero
now.

Re: [PATCH] unix domain sockets bugfix

[Balazs Scheidler]

On Mon, Oct 07, 2002 at 12:48:00AM -0700, David S. Miller wrote:
>    From: Balazs Scheidler <bazsi@balabit.hu>
>    Date: Mon, 7 Oct 2002 09:35:32 +0200
>    
>    The returned socklen is 2, but the sockaddr.family is not touched. A fix is
>    below:
> 
> Since msg->msg_namelen is zero, msg->msg_name should not be
> interpreted in any way at all.

You would be right, if it would be zero, but it isn't:

373			res = recvfrom(closure->fd, buffer, length, 0, (struct sockaddr *) addr, (socklen_t *) addrlen);
(gdb) n
375			if (*addrlen == 2) {
(gdb) p *addrlen
$2 = 2

Checking out the code again:

static void unix_copy_addr(struct msghdr *msg, struct sock *sk)
{
        msg->msg_namelen = sizeof(short);
        if (sk->protinfo.af_unix.addr) {
                msg->msg_namelen=sk->protinfo.af_unix.addr->len;
                memcpy(msg->msg_name,
                       sk->protinfo.af_unix.addr->name,
                       sk->protinfo.af_unix.addr->len);
        }
}

namelen is explicitly set to sizeof(short) == 2.

This is 2.4.18

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1

Re: [PATCH] unix domain sockets bugfix

[James Morris]

On Mon, 7 Oct 2002, Balazs Scheidler wrote:

> I've found a bug with unix domain sockets in both kernels 2.2 and 2.4.

This is not an issue for 2.2, as msg->msg_namelen is already zeroed
appropriately.


- James
-- 
James Morris
<jmorris@intercode.com.au>

Re: [PATCH] unix domain sockets bugfix

[Balazs Scheidler]

2.4.20-rc1, still not working well for recvfrom() of unix-dgram sockets. It
doesn't return 0 as the length of the sockaddr, checking out the code again
makes me think that this is the problem:

--- socket.c.old	Tue Nov  5 18:48:22 2002
+++ socket.c	Tue Nov  5 18:49:34 2002
@@ -1262,7 +1262,7 @@
 		flags |= MSG_DONTWAIT;
 	err=sock_recvmsg(sock, &msg, size, flags);
 
-	if(err >= 0 && addr != NULL && msg.msg_namelen)
+	if(err >= 0 && addr != NULL)
 	{
 		err2=move_addr_to_user(address, msg.msg_namelen, addr, addr_len);
 		if(err2<0)
---------

strace for the behaviour of the kernel:

> recvfrom(3, "<38>Nov  5 17:53:01 PAM_unix[952"..., 2048, 0, {sin_family=0xf80c /* AF_??? */, {sa_family=63500, sa_data="\377\27
> 7\6\351\4\10\10\270\5\10\360@\5\10"}, [256]) = 82

you can see that 256 is returned as the length of the sockaddr, and there's garbage in the sa_family field.

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1