cvs commit: src/sys/kern uipc_syscalls.c

[Don Lewis]

On 10 Jan, Jacques A. Vidrine wrote:
> On Sat, Jan 10, 2004 at 12:28:54AM -0800, Don Lewis wrote:
>> truckman    2004/01/10 00:28:54 PST
>> 
>>   FreeBSD src repository
>> 
>>   Modified files:
>>     sys/kern             uipc_syscalls.c 
>>   Log:
>>   Add a somewhat redundant check on the len arguement to getsockaddr() to
>>   avoid relying on the minimum memory allocation size to avoid problems.
>>   The check is somewhat redundant because the consumers of the returned
>>   structure will check that sa_len is a protocol-specific larger size.
>>   
>>   Submitted by:   Matthew Dillon <dillon at apollo.backplane.com>
>>   Reviewed by:    nectar
>>   MFC after:      30 days
> 
> But the check *is not* redundant.  The consumers cannot safely check
> sa_len if the allocation were to be less than `offsetof(struct
> sa_sockaddr, data[0])'--- which it never is, by chance, due to the
> minimum memory allocation size, as you noted.  But we shall all feel
> better that this is made explicit.  FWIW, I think the check should
> have been for `sizeof(*sa)' technically, but what has been committed
> is safe, too, I believe.

The only reason it is redundant instead of manditory is because of the
minimum allocation allocation happens to be large enough for
getsockaddr() to write to sa_len.  If it is safe for getsockaddr() to
write to sa_len, then it is safe for the consumers to read sa_len.

BTW, I think a better solution is for getsockaddr() to call an address
family specific length checker before returning, and to remove the
sa_len check from all the consumers.  With the commit I did to the tcp
code after this commit, sa_len is checked three times for the bind() and
connect() syscalls.  I wasn't feeling that ambitious, though.

It looks like the AF_UNIX implementation allows the length to be shorter
than sizeof(*sa).  It appears that you don't have to pass in the full
104 character sun_path.