Project

General

Profile

Bug #2673

Updated by pespin over 6 years ago

From recent commit https://gerrit.osmocom.org/#/c/4213/ it starts checking with strlcpy() that file path is at least PATH_MAX. Even though that fixes a possible overflow, it is still wrong because a unix socket patch is at most 108 characters, which means if a larger path is passed, it will be truncated, and it can create problems (such as the truncated file finished truncated in "/" or a directory already existing in the path). 

 For more info see https://stackoverflow.com/questions/34829600/why-is-the-maximal-path-length-allowed-for-unix-sockets-on-linux-108 and "man 7 unix": 
 <pre> 
        A UNIX domain socket address is represented in the following structure: 

            struct sockaddr_un { 
                sa_family_t sun_family;                 /* AF_UNIX */ 
                char          sun_path[108];              /* pathname */ 
            }; 

 </pre> 

 It can also be checked using the following define: 
 /usr/include/linux/un.h:6:#define UNIX_PATH_MAX 108 
 /usr/include/linux/un.h:10:       char sun_path[UNIX_PATH_MAX];     /* pathname */ 

 Several points to improve: 
 - libosmo-abis: libosmo-abis -> e1_input_vty.c: DEFUN(cfg_e1line_socket, cfg_e1_line_socket_cmd: check in that vty function that argv[1] is at most 107 chars (+1 '\0'), otherwise return warning. 
 - libosmo-abis: libosmo-abis -> unixsocket.c: unixsocket_line_update: Use UNIX_PATH_MAX instead of PATH_MAX, which is too big. 

 Bonus: Grep in all projects which use "osmo_sock_unix_init" function, and make sure the same validations are applied during vty parsing.

Back

Add picture from clipboard (Maximum size: 48.8 MB)