You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Err(io::Error::new(ErrorKind::InvalidData,"not an unix socket address"))
}else{
let addr = addr as*constsockaddr_un;
let sun_path_ptr = (&*addr).sun_path.as_ptr();
let sun_path = slice::from_raw_parts(sun_path_ptr, len asusize);
copy.addr.sun_path.copy_from_slice(sun_path);
copy.len = len;
Ok(copy)
Specificlaly, we check that path_offset() < len < path_offset() + sizeof(sun_path)
We then call slice::from_raw_parts(sun_path_ptr, len as usize);
This seems incorrect. path_offset is the offset of sun_path in sockaddr_un. The bounds check we need is 0 < len < sizeof(sun_path), since we are indexing directly into sun_path_ptr, notsockaddr_un.
The text was updated successfully, but these errors were encountered:
It would do out-of-bounds reads for addresses with length equal to
sizeof(sun_path)-path_offset(), and panic for any other lengths.
It had not been tested, and due to that second part
I assume it has never been used.
Fixes#17.
len is supposed to be the length of the whole address including path_offset(), so the slice is too long.
But the function is completely broken, as copy_from_slice() will panic if the slice length is not equal to the length of sun_path!
That means out-of-bounds read will only happen for addresses with a specific, rather long length.
I've apparently never tested it, and since it fails for any reasonable-length address I really doubt anyone else has used it.
We perform a bunch of invariant checks in
UnixSocketAddr::from_raw()
uds/src/addr.rs
Lines 670 to 686 in a596894
Specificlaly, we check that
path_offset() < len < path_offset() + sizeof(sun_path)
We then call
slice::from_raw_parts(sun_path_ptr, len as usize);
This seems incorrect.
path_offset
is the offset ofsun_path
insockaddr_un
. The bounds check we need is0 < len < sizeof(sun_path)
, since we are indexing directly intosun_path_ptr
, notsockaddr_un
.The text was updated successfully, but these errors were encountered: