Hi,
I've found a bug with unix domain sockets in both kernels 2.2 and 2.4.
If the program issues a recvfrom() on a SOCK_DGRAM socket, and the sender
had no name, the sockaddr returned is not filled in.
The returned socklen is 2, but the sockaddr.family is not touched. A fix is
below:
--- af_unix.c~ Mon Feb 25 20:38:16 2002
+++ af_unix.c Fri Oct 4 09:46:26 2002
@@ -1392,6 +1392,9 @@
sk->protinfo.af_unix.addr->name,
sk->protinfo.af_unix.addr->len);
}
+ else {
+ ((struct sockaddr *) msg->msg_name)->sa_family = AF_UNIX;
+ }
}
static int unix_dgram_recvmsg(struct socket *sock, struct msghdr *msg, int size,
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
From: Balazs Scheidler <[email protected]>
Date: Mon, 7 Oct 2002 09:35:32 +0200
The returned socklen is 2, but the sockaddr.family is not touched. A fix is
below:
Since msg->msg_namelen is zero, msg->msg_name should not be
interpreted in any way at all.
On Mon, Oct 07, 2002 at 12:48:00AM -0700, David S. Miller wrote:
> From: Balazs Scheidler <[email protected]>
> Date: Mon, 7 Oct 2002 09:35:32 +0200
>
> The returned socklen is 2, but the sockaddr.family is not touched. A fix is
> below:
>
> Since msg->msg_namelen is zero, msg->msg_name should not be
> interpreted in any way at all.
You would be right, if it would be zero, but it isn't:
373 res = recvfrom(closure->fd, buffer, length, 0, (struct sockaddr *) addr, (socklen_t *) addrlen);
(gdb) n
375 if (*addrlen == 2) {
(gdb) p *addrlen
$2 = 2
Checking out the code again:
static void unix_copy_addr(struct msghdr *msg, struct sock *sk)
{
msg->msg_namelen = sizeof(short);
if (sk->protinfo.af_unix.addr) {
msg->msg_namelen=sk->protinfo.af_unix.addr->len;
memcpy(msg->msg_name,
sk->protinfo.af_unix.addr->name,
sk->protinfo.af_unix.addr->len);
}
}
namelen is explicitly set to sizeof(short) == 2.
This is 2.4.18
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
From: Balazs Scheidler <[email protected]>
Date: Mon, 7 Oct 2002 10:01:01 +0200
This is 2.4.18
Look at current 2.4.20-preX sources, it is set to zero
now.
On Mon, 7 Oct 2002, Balazs Scheidler wrote:
> I've found a bug with unix domain sockets in both kernels 2.2 and 2.4.
This is not an issue for 2.2, as msg->msg_namelen is already zeroed
appropriately.
- James
--
James Morris
<[email protected]>
2.4.20-rc1, still not working well for recvfrom() of unix-dgram sockets. It
doesn't return 0 as the length of the sockaddr, checking out the code again
makes me think that this is the problem:
--- socket.c.old Tue Nov 5 18:48:22 2002
+++ socket.c Tue Nov 5 18:49:34 2002
@@ -1262,7 +1262,7 @@
flags |= MSG_DONTWAIT;
err=sock_recvmsg(sock, &msg, size, flags);
- if(err >= 0 && addr != NULL && msg.msg_namelen)
+ if(err >= 0 && addr != NULL)
{
err2=move_addr_to_user(address, msg.msg_namelen, addr, addr_len);
if(err2<0)
---------
strace for the behaviour of the kernel:
> recvfrom(3, "<38>Nov 5 17:53:01 PAM_unix[952"..., 2048, 0, {sin_family=0xf80c /* AF_??? */, {sa_family=63500, sa_data="\377\27
> 7\6\351\4\10\10\270\5\10\360@\5\10"}, [256]) = 82
you can see that 256 is returned as the length of the sockaddr, and there's garbage in the sa_family field.
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1