[Bug 232920] linuxulator: linux_to_bsd_sockaddr and bsd_to_linux_sockaddr are unsafe
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Tue Feb 26 04:59:47 UTC 2019
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=232920
Vic Chen <weike_chen at dell.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |weike_chen at dell.com
--- Comment #1 from Vic Chen <weike_chen at dell.com> ---
Another related issue is:
The function 'linux_getsockname' in 'linux_socket.c' calls
'bsd_to_linux_sockaddr', and it calls 'bsd_to_linux_domain' to convert
'sa_family' from BSD domain to Linux domain.
But after calling 'bsd_to_linux_sockaddr', 'linux_sa_put' is called, and it
calls 'bsd_to_linux_domain' to convert 'sa_family' from BSD domain to Linux
domain again.
But the 'sa_family' has already been converted.
Since the value of AF_INTE6 and LINUX_AF_INET6 is different, and converting
twice will cause issue.
Test Case below:
get_sock_name_case.c
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <netinet/in.h>
int main()
{
int sock;
int len = sizeof(struct sockaddr_in6);
struct sockaddr_in6 add;
if ((sock=socket(AF_INET6, SOCK_STREAM, 0)) < 0)
{
perror("sock");
return 1;
}
memset(&add, 0, len);
add.sin6_family = AF_INET6;
add.sin6_port = htons(10000);
printf("bind address type:%d-port:%d\n", add.sin6_family,
ntohs(add.sin6_port));
if (bind(sock, (struct sockaddr *)&add, len)<0)
{
perror("bind");
return 1;
}
memset(&add, 0, len);
getsockname(sock, (struct sockaddr *)&add, &len);
printf("getsockname address type:%d-port:%d\n", add.sin6_family,
ntohs(add.sin6_port));
return 0;
}
result:
case in linux
user@~/:uname -a
Linux CentOS 3.10.0-693.el7.x86_64 #1 SMP Tue Aug 22 21:09:27 UTC 2017 x86_64
x86_64 x86_64 GNU/Linux
user@~/:cat /etc/redhat-release
CentOS Linux release 7.4.1708 (Core)
bind address type:10-port:10000
getsockname address type:10-port:10000
case in freebsd
[user at host ~]# uname -a
FreeBSD host 12.0-RELEASE FreeBSD 12.0-RELEASE #94 308a36af9(master)-dirty: Mon
Feb 25 16:33:41 CST 2019 KERNCONF amd64
[user at host ~]# ./case
bind address type:10-port:10000
getsockname address type:3-port:10000
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-emulation
mailing list