Opened 6 years ago

Closed 6 years ago

#9943 closed bug (duplicate)

bind and connect don't use the length argument in Unix sockets

Reported by: Anarchos Owned by: axeld
Priority: normal Milestone: R1
Component: Network & Internet/Stack Version: R1/Development
Keywords: bind length Cc:
Blocked By: Blocking:
Has a Patch: yes Platform: x86


In the Unix network protocol suite, bind and connect don't seem to take the length argument into account.

Attachments (1)

0001-Add-length-paramter-to-bind-and-connect.patch (26.6 KB) - added by jscipione 6 years ago.
Add length parameter to bind() and connect()

Download all attachments as: .zip

Change History (6)

Changed 6 years ago by jscipione

Add length parameter to bind() and connect()

comment:1 Changed 6 years ago by jscipione

Has a Patch: set

comment:2 Changed 6 years ago by jscipione

The attached patch is for academic purposes only right now since applying it breaks networking.

comment:3 Changed 6 years ago by axeld

Please have a look at the sockaddr structure, specifically its sa_len field. Long story short, I have no idea what this ticket is about.

comment:4 Changed 6 years ago by jscipione

I hope Anarchos comes back with some more details about the problem he's having, it has something to do with problems experienced while porting the OCaml debugger to Haiku.

Relevant IRC log details:

ret = bind(Int_val(socket), &addr.s_gen, addr_len);
// Int_val(socket) = 24 and addr.s_gen = 1^9^/tmp/camldebug10216 and addr_len=21

it creates a file "/tmp/camldebug10216nj[0m"

it is likely that the len should be 22 to take the null character into account

its length is offsetof(struct sockaddr_un, sun_path) + strlen(sun_path) + 1,
and sun_path contains the null-terminated pathname.

File name is now correct with the +1, but it still says that it cannot connect
to it. And i notice that the permissions are srw-r--r--

It seems BSD accepts it because you give a length to bind anyway
(reading byte after the specified length is a bug in any case,
we should either add an \0 if it's missing, or just fail with EINVAL or so)

This code comes from official source code of the OCaml debugger, and does not
cause troubles on the other platform, so it seems all the other OS add the null

bind makes the correct file name yes, with "srw-r--r--" permission but the rest
of the program still crashes.

If i inspect memory with Debugger/Inspect, i see the \0, but the length passed
doesn't extends to it, so i guess we do a memcopy with it in a buffer, and forgot
to copy the \0

The problem is that the \0 gets lost so at some point there is something copying
the data using the given length but then we switch to sizeof(struct) instead
and the place where the string ends get lost and likely use
min(size, strlen( as the actual size at this point.

comment:5 Changed 6 years ago by pulkomandy

Resolution: duplicate
Status: newclosed

Duplicate of #3255.

Note: See TracTickets for help on using tickets.