[1/8] vchan-socket-proxy: Ensure UNIX path NUL terminated

Message ID	20200525024955.225415-2-jandryuk@gmail.com (mailing list archive)
State	Superseded
Headers	show Return-Path: <SRS0=HK45=7H=lists.xenproject.org=xen-devel-bounces@kernel.org> DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 8E5922075F From: Jason Andryuk <jandryuk@gmail.com> To: xen-devel@lists.xenproject.org Subject: [PATCH 1/8] vchan-socket-proxy: Ensure UNIX path NUL terminated Date: Sun, 24 May 2020 22:49:48 -0400 Message-Id: <20200525024955.225415-2-jandryuk@gmail.com> In-Reply-To: <20200525024955.225415-1-jandryuk@gmail.com> References: <20200525024955.225415-1-jandryuk@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: list Cc: Ian Jackson <ian.jackson@eu.citrix.com>, marmarek@invisiblethingslab.com, Wei Liu <wl@xen.org>, Jason Andryuk <jandryuk@gmail.com> Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
Series	Coverity fixes for vchan-socket-proxy \| expand [0/8] Coverity fixes for vchan-socket-proxy [1/8] vchan-socket-proxy: Ensure UNIX path NUL terminated [2/8] vchan-socket-proxy: Check xs_watch return value [3/8] vchan-socket-proxy: Unify main return value [4/8] vchan-socket-proxy: Use a struct to store state [5/8] vchan-socket-proxy: Switch data_loop() to take state [6/8] vchan-socket-proxy: Set closed FDs to -1 [7/8] vchan-socket-proxy: Cleanup resources on exit [8/8] vchan-socket-proxy: Handle closing shared input/output_fd

Message ID

20200525024955.225415-2-jandryuk@gmail.com (mailing list archive)

State

Superseded

Headers

DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 8E5922075F
From: Jason Andryuk <jandryuk@gmail.com>
To: xen-devel@lists.xenproject.org
Subject: [PATCH 1/8] vchan-socket-proxy: Ensure UNIX path NUL terminated
Date: Sun, 24 May 2020 22:49:48 -0400
Message-Id: <20200525024955.225415-2-jandryuk@gmail.com>
In-Reply-To: <20200525024955.225415-1-jandryuk@gmail.com>
References: <20200525024955.225415-1-jandryuk@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: list
Cc: Ian Jackson <ian.jackson@eu.citrix.com>, marmarek@invisiblethingslab.com,
 Wei Liu <wl@xen.org>, Jason Andryuk <jandryuk@gmail.com>
Errors-To: xen-devel-bounces@lists.xenproject.org
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>

Series

Coverity fixes for vchan-socket-proxy | expand

Check the socket path length to ensure sun_path is NUL terminated. This was spotted by Citrix's Coverity. Signed-off-by: Jason Andryuk <jandryuk@gmail.com> --- tools/libvchan/vchan-socket-proxy.c | 12 ++++++++++++ 1 file changed, 12 insertions(+)

Comments

Marek Marczykowski-Górecki June 13, 2020, 12:40 p.m. UTC | #1

On Sun, May 24, 2020 at 10:49:48PM -0400, Jason Andryuk wrote:
> Check the socket path length to ensure sun_path is NUL terminated.
> 
> This was spotted by Citrix's Coverity.
> 
> Signed-off-by: Jason Andryuk <jandryuk@gmail.com>

Reviewed-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>

> ---
>  tools/libvchan/vchan-socket-proxy.c | 12 ++++++++++++
>  1 file changed, 12 insertions(+)
> 
> diff --git a/tools/libvchan/vchan-socket-proxy.c b/tools/libvchan/vchan-socket-proxy.c
> index 13700c5d67..6d860af340 100644
> --- a/tools/libvchan/vchan-socket-proxy.c
> +++ b/tools/libvchan/vchan-socket-proxy.c
> @@ -148,6 +148,12 @@ static int connect_socket(const char *path_or_fd) {
>          return fd;
>      }
>  
> +    if (strlen(path_or_fd) >= sizeof(addr.sun_path)) {
> +        fprintf(stderr, "UNIX socket path \"%s\" too long (%zd >= %zd)\n",
> +                path_or_fd, strlen(path_or_fd), sizeof(addr.sun_path));
> +        return -1;
> +    }
> +
>      fd = socket(AF_UNIX, SOCK_STREAM, 0);
>      if (fd == -1)
>          return -1;
> @@ -174,6 +180,12 @@ static int listen_socket(const char *path_or_fd) {
>          return fd;
>      }
>  
> +    if (strlen(path_or_fd) >= sizeof(addr.sun_path)) {
> +        fprintf(stderr, "UNIX socket path \"%s\" too long (%zd >= %zd)\n",
> +                path_or_fd, strlen(path_or_fd), sizeof(addr.sun_path));
> +        return -1;
> +    }
> +
>      /* if not a number, assume a socket path */
>      fd = socket(AF_UNIX, SOCK_STREAM, 0);
>      if (fd == -1)

diff --git a/tools/libvchan/vchan-socket-proxy.c b/tools/libvchan/vchan-socket-proxy.c
index 13700c5d67..6d860af340 100644
--- a/tools/libvchan/vchan-socket-proxy.c
+++ b/tools/libvchan/vchan-socket-proxy.c
@@ -148,6 +148,12 @@  static int connect_socket(const char *path_or_fd) {
         return fd;
     }
 
+    if (strlen(path_or_fd) >= sizeof(addr.sun_path)) {
+        fprintf(stderr, "UNIX socket path \"%s\" too long (%zd >= %zd)\n",
+                path_or_fd, strlen(path_or_fd), sizeof(addr.sun_path));
+        return -1;
+    }
+
     fd = socket(AF_UNIX, SOCK_STREAM, 0);
     if (fd == -1)
         return -1;
@@ -174,6 +180,12 @@  static int listen_socket(const char *path_or_fd) {
         return fd;
     }
 
+    if (strlen(path_or_fd) >= sizeof(addr.sun_path)) {
+        fprintf(stderr, "UNIX socket path \"%s\" too long (%zd >= %zd)\n",
+                path_or_fd, strlen(path_or_fd), sizeof(addr.sun_path));
+        return -1;
+    }
+
     /* if not a number, assume a socket path */
     fd = socket(AF_UNIX, SOCK_STREAM, 0);
     if (fd == -1)

[1/8] vchan-socket-proxy: Ensure UNIX path NUL terminated

Commit Message

Comments

Patch