NetBSD Problem Report #54176
From www@netbsd.org Wed May 8 10:55:45 2019
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id BAFD27A170
for <gnats-bugs@gnats.NetBSD.org>; Wed, 8 May 2019 10:55:45 +0000 (UTC)
Message-Id: <20190508105544.A22427A1AB@mollari.NetBSD.org>
Date: Wed, 8 May 2019 10:55:44 +0000 (UTC)
From: tho@useless-ficus.net
Reply-To: tho@useless-ficus.net
To: gnats-bugs@NetBSD.org
Subject: getsockopt(2) does not silently truncate returned optval
X-Send-Pr-Version: www-1.0
>Number: 54176
>Category: kern
>Synopsis: getsockopt(2) does not silently truncate returned optval
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed May 08 11:00:00 +0000 2019
>Last-Modified: Wed May 08 14:10:01 +0000 2019
>Originator: Anthony Mallet
>Release: -current
>Organization:
>Environment:
NetBSD ficus 8.99.37 NetBSD 8.99.37 (FICUS) #18: Sat Apr 27 15:54:05 WEST 2019
>Description:
Posix getsockopt(2) states that "If the size of the option value is
greater than option_len, the value stored in the object pointed to by
the option_value argument shall be silently truncated."
http://pubs.opengroup.org/onlinepubs/009695399/functions/getsockopt.html
Currently EINVAL is returned instead, which causes issues with e.g.
this code sketch:
struct tcp_info tcp_info;
socklen_t len;
len = sizeof(uint8_t); /* only retrieve conn. state */
if (getsockopt(fd, IPPROTO_TCP, TCP_INFO, &tcp_info, &len))
err(2, "getsockopt");
Here is a patch proposal.
>How-To-Repeat:
>Fix:
Index: sys/kern/uipc_socket.c
===================================================================
RCS file: /cvsroot/src/sys/kern/uipc_socket.c,v
retrieving revision 1.278
diff -u -u -r1.278 uipc_socket.c
--- sys/kern/uipc_socket.c 15 Apr 2019 10:53:17 -0000 1.278
+++ sys/kern/uipc_socket.c 8 May 2019 10:48:37 -0000
@@ -2082,11 +2082,8 @@
return error;
}
- if (sopt->sopt_size < len)
- return EINVAL;
-
- memcpy(sopt->sopt_data, buf, len);
- sopt->sopt_retsize = len;
+ sopt->sopt_retsize = MIN(sopt->sopt_size, len);
+ memcpy(sopt->sopt_data, buf, sopt->sopt_retsize);
return 0;
}
@@ -2146,12 +2143,9 @@
return error;
}
- if (sopt->sopt_size < len)
- return EINVAL;
-
- m_copydata(m, 0, len, sopt->sopt_data);
+ sopt->sopt_retsize = MIN(sopt->sopt_size, len);
+ m_copydata(m, 0, sopt->sopt_retsize, sopt->sopt_data);
m_freem(m);
- sopt->sopt_retsize = len;
return 0;
}
>Audit-Trail:
From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/54176 CVS commit: src/sys/kern
Date: Wed, 8 May 2019 10:05:19 -0400
Module Name: src
Committed By: christos
Date: Wed May 8 14:05:19 UTC 2019
Modified Files:
src/sys/kern: uipc_socket.c
Log Message:
PR/54176: Anthony Mallet:
getsockopt(2) does not silently truncate returned optval
To generate a diff of this commit:
cvs rdiff -u -r1.278 -r1.279 src/sys/kern/uipc_socket.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
(Contact us)
$NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.