[Bug 232920] linuxulator: linux_to_bsd_sockaddr and bsd_to_linux_sockaddr are unsafe

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Tue Feb 26 04:59:47 UTC 2019 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=232920

Vic Chen <weike_chen at dell.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |weike_chen at dell.com

--- Comment #1 from Vic Chen <weike_chen at dell.com> ---
Another related issue is:

The function 'linux_getsockname' in 'linux_socket.c' calls
'bsd_to_linux_sockaddr', and it calls 'bsd_to_linux_domain' to convert
'sa_family' from BSD domain to Linux domain.

 But after calling  'bsd_to_linux_sockaddr', 'linux_sa_put' is called, and it
calls 'bsd_to_linux_domain' to convert 'sa_family' from BSD domain to Linux
domain again.
But the 'sa_family' has already been converted.
Since the value of AF_INTE6 and LINUX_AF_INET6 is different, and converting
twice will cause issue. 

Test Case below:
get_sock_name_case.c
#include <stdio.h>
#include <string.h>
#include <stdlib.h>

#include <sys/socket.h>
#include <netinet/in.h>

int main()
{
    int sock;
    int len = sizeof(struct sockaddr_in6);
    struct sockaddr_in6 add;

    if ((sock=socket(AF_INET6, SOCK_STREAM, 0)) < 0)
    {
        perror("sock");
        return 1;
    }

    memset(&add, 0, len);
    add.sin6_family = AF_INET6;
    add.sin6_port = htons(10000);
    printf("bind address type:%d-port:%d\n", add.sin6_family,
ntohs(add.sin6_port));

    if (bind(sock, (struct sockaddr *)&add, len)<0)
    {
        perror("bind");
        return 1;
    }

    memset(&add, 0, len);
    getsockname(sock, (struct sockaddr *)&add, &len);
    printf("getsockname address type:%d-port:%d\n", add.sin6_family,
ntohs(add.sin6_port));

    return 0;
}

result:
case in linux
user@~/:uname -a
Linux CentOS 3.10.0-693.el7.x86_64 #1 SMP Tue Aug 22 21:09:27 UTC 2017 x86_64
x86_64 x86_64 GNU/Linux
user@~/:cat /etc/redhat-release
CentOS Linux release 7.4.1708 (Core)

bind address type:10-port:10000
getsockname address type:10-port:10000

case in freebsd
[user at host ~]# uname -a
FreeBSD host 12.0-RELEASE FreeBSD 12.0-RELEASE #94 308a36af9(master)-dirty: Mon
Feb 25 16:33:41 CST 2019     KERNCONF  amd64
[user at host ~]# ./case
bind address type:10-port:10000
getsockname address type:3-port:10000

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-emulation mailing list