Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

syscall: ParseUnixCredentials is unsafe #16475

Closed
iangudger opened this issue Jul 22, 2016 · 2 comments
Closed

syscall: ParseUnixCredentials is unsafe #16475

iangudger opened this issue Jul 22, 2016 · 2 comments
Milestone

Comments

@iangudger
Copy link
Contributor

@iangudger iangudger commented Jul 22, 2016

syscall.ParseUnixCredentials does not sufficiently validate its inputs to avoid crashes or returning uninitialized memory to the caller (via unsafe use of unsafe).

Current code:

// ParseUnixCredentials decodes a socket control message that contains
// credentials in a Ucred structure. To receive such a message, the
// SO_PASSCRED option must be enabled on the socket.
func ParseUnixCredentials(m *SocketControlMessage) (*Ucred, error) {
    if m.Header.Level != SOL_SOCKET {
        return nil, EINVAL
    }
    if m.Header.Type != SCM_CREDENTIALS {
        return nil, EINVAL
    }
    ucred := *(*Ucred)(unsafe.Pointer(&m.Data[0]))
    return &ucred, nil
}

The Data field is blindly cast to a Ucred type without checking the length.

Correct code might look something like:

// ParseUnixCredentials decodes a socket control message that contains
// credentials in a Ucred structure. To receive such a message, the
// SO_PASSCRED option must be enabled on the socket.
func ParseUnixCredentials(m *SocketControlMessage) (*Ucred, error) {
    if m.Header.Level != SOL_SOCKET {
        return nil, EINVAL
    }
    if m.Header.Type != SCM_CREDENTIALS {
        return nil, EINVAL
    }
    if len(m.Data) < SizeofUcred {
        return nil, EINVAL
    }
    ucred := *(*Ucred)(unsafe.Pointer(&m.Data[0]))
    return &ucred, nil
}
@bradfitz
Copy link
Contributor

@bradfitz bradfitz commented Jul 22, 2016

People who like this bug also like #15653

@bradfitz bradfitz added this to the Go1.8 milestone Jul 22, 2016
@gopherbot
Copy link

@gopherbot gopherbot commented Jul 23, 2016

CL https://golang.org/cl/25154 mentions this issue.

@gopherbot gopherbot closed this in 7995cb8 Aug 20, 2016
@golang golang locked and limited conversation to collaborators Aug 20, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
You can’t perform that action at this time.