[stgt] [PATCH] bs_sheepdog.c: fix up buffer overrun issues with unix domain socket

Hitoshi Mitake mitake.hitoshi at gmail.com
Tue Dec 3 02:47:47 CET 2013


At Tue,  3 Dec 2013 10:28:42 +0900,
Ryusuke Konishi wrote:
> 
> The current sheepdog driver still has two buffer overrun issues due to
> unsafe strncpy uses for the pathname buffer of unix domain socket:
> 
> 1) The size of "sun_path" string buffer of "sockaddr_un" structure is
>    108 bytes, however, UNIX_PATH_MAX macro is locally defined as 109.
>    So, the following strncpy use at connect_to_sdog_unix function
>    still can be filled without a terminating null byte.
> 
>       strncpy(un.sun_path, path, UNIX_PATH_MAX - 1);
> 
> 2) The following use of strncpy at sd_open function also has a buffer
>    overrun issue because the size of ai->uds_path is the same as
>    UNIX_PATH_MAX.
> 
>       strncpy(ai->uds_path, result, UNIX_PATH_MAX);
> 
> Moreover, the local definition of UNIX_PATH_MAX, which gives the
> buffer size of unix domain socket pathname, is confusing.  It is
> traditionally used to define the size of "sun_path" string buffer of
> "sockaddr_un", which is 108 bytes including a terminating null byte,
> but this local macro sets it to 109 bytes.
> 
> This patch fixes up these issues.
> 
> Signed-off-by: Ryusuke Konishi <konishi.ryusuke at lab.ntt.co.jp>
> Cc: Hitoshi Mitake <mitake.hitoshi at lab.ntt.co.jp>
> ---
>  usr/bs_sheepdog.c |    6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)

Thanks for your bugfixes, looks good to me.
Reviewed-by: Hitoshi Mitake <mitake.hitoshi at lab.ntt.co.jp>

Thanks,
Hitoshi

> 
> diff --git a/usr/bs_sheepdog.c b/usr/bs_sheepdog.c
> index 315f3aa..43f3157 100644
> --- a/usr/bs_sheepdog.c
> +++ b/usr/bs_sheepdog.c
> @@ -220,7 +220,7 @@ struct sheepdog_fd_list {
>  	struct list_head list;
>  };
>  
> -#define UNIX_PATH_MAX (108 + 1)
> +#define UNIX_PATH_MAX 108
>  
>  struct sheepdog_access_info {
>  	int is_unix;
> @@ -398,7 +398,7 @@ static int connect_to_sdog_unix(const char *path)
>  
>  	memset(&un, 0, sizeof(un));
>  	un.sun_family = AF_UNIX;
> -	strncpy(un.sun_path, path, UNIX_PATH_MAX - 1);
> +	strncpy(un.sun_path, path, sizeof(un.sun_path) - 1);
>  
>  	ret = connect(fd, (const struct sockaddr *)&un, (socklen_t)sizeof(un));
>  	if (ret < 0) {
> @@ -967,7 +967,7 @@ static int sd_open(struct sheepdog_access_info *ai, char *filename, int flags)
>  			}
>  			break;
>  		case EXPECT_PATH:
> -			strncpy(ai->uds_path, result, UNIX_PATH_MAX);
> +			strncpy(ai->uds_path, result, UNIX_PATH_MAX - 1);
>  			parse_state = EXPECT_VDI;
>  			break;
>  		case EXPECT_HOST:
> -- 
> 1.7.9.3
> 
> --
> To unsubscribe from this list: send the line "unsubscribe stgt" in
> the body of a message to majordomo at vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe stgt" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html



More information about the stgt mailing list