-
Notifications
You must be signed in to change notification settings - Fork 560
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
recv() with MSG_TRUNC flag kills perl with SEGV or glibc double-free #10377
Comments
From @leonerdCreated by @leonerdWhen using a PF_PACKET socket, the MSG_TRUNC flag can be useful on a recv() #!/usr/bin/perl use strict; use Socket qw( SOCK_DGRAM ); my $sock = IO::Socket::Packet->new( # 40 bytes is enough to extract the IPv4 addresses from the IPv4 header # Extract src and dst IP addresses printf "Recieved a packet pkttype %d, length %d bytes from %s to %s\n", $pkttype, length $buffer, $src, $dst; (this tested against Socket::Packet 0.04) This program captures IPv4 packets and prints their lengths and IP addresses. *** glibc detected *** /usr/bin/perl: malloc(): memory corruption (fast): 0x0000000001a355c0 *** I believe this bug is caused by the following lines from pp_sys.c: (in PP(pp_sysread)): buffer = SvGROW(bufsv, (STRLEN)(length+1)); This causes problems if the kernel's return value in count is larger than the As this is a fairly rare use case, I'm quite happy to provide a special my ( $addr, $len ) = recv_len( $sock, my $buffer, $maxlen, $flags ); semantics. I think this would be sufficient to safely use the MSG_TRUNC flag. * grow the buffer Perl Info
|
From @iabynOn Thu, May 13, 2010 at 10:18:37AM -0700, Paul LeoNerd Evans wrote:
Thanks for the report. I've gone with the 'clamp the returned length' -- |
The RT System itself - Status changed from 'new' to 'open' |
@iabyn - Status changed from 'open' to 'resolved' |
Migrated from rt.perl.org#75082 (status was 'resolved')
Searchable as RT75082$
The text was updated successfully, but these errors were encountered: