Permalink
4 comments
on commit
sign in to comment.
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
fix strncpy call to avoid ASAN violation
Ensure we're only reading to the size of the smallest buffer, since they're both on the stack and could potentially overlap. Overlapping is defined as ... undefined behavior. I've looked through all available implementations of strncpy and they still only copy from the first \0 found. We'll also never read past the end of sun_path since we _supply_ sun_path with a proper null terminator.
- Loading branch information
This comment has been minimized.
unix(7) sockets have three different types of names:
sun_path
shouldn't be inspected at allAre unix sockets of the other two types reachable by this code? (and, perhaps, was the asan warning about writing a nul before the buffer starts?)
Thanks
This comment has been minimized.
Just path type. So far as I could tell the ASAN violation is due to optimized forms of strncpy examining chunks of bytes at a time while scanning for a null. I wasn't able to personally reproduce.
This comment has been minimized.
Thanks for the reply; I'm not too surprised that strncpy might search eight or sixteen bytes at a go. UB is an interesting twist I didn't expect here.
Thanks
This comment has been minimized.
Yup... just to clarify for any future readers: we only read back sun_path from instances where a string has been copied to it, and we insert the null byte before copying. So the OS would have to lose the byte to cause any kind of direct bug.
It also requires that memc be clamped to localhost via a unix socket and the sun_path input is controlled via a commandline argument. Further, on linux at least long paths are truncated to significantly less than sun_path (though I didn't track down the detail here).
The problem is we had two (overlapping in the stack) buffers and strncpy was given the len restriction of the larger buffer. Hence original comment; they'll read 8 bytes at a time up until < 8 bytes remain in the len argument.