Project

General

Profile

Bug #2673

e1_line socket has no/wrong path length check

Added by pespin 8 months ago. Updated about 2 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Target version:
-
Start date:
11/22/2017
Due date:
% Done:

0%

Estimated time:
Spec Reference:
Tags:
E1

Description

From recent commit https://gerrit.osmocom.org/#/c/4213/ it starts checking with strlcpy() that file path is at least PATH_MAX. Even though that fixes a possible overflow, it is still wrong because a unix socket patch is at most 108 characters, which means if a larger path is passed, it will be truncated, and it can create problems (such as the truncated file finished truncated in "/" or a directory already existing in the path).

For more info see https://stackoverflow.com/questions/34829600/why-is-the-maximal-path-length-allowed-for-unix-sockets-on-linux-108 and "man 7 unix":

       A UNIX domain socket address is represented in the following structure:

           struct sockaddr_un {
               sa_family_t sun_family;               /* AF_UNIX */
               char        sun_path[108];            /* pathname */
           };

It can also be checked using the following define:
/usr/include/linux/un.h:6:#define UNIX_PATH_MAX 108
/usr/include/linux/un.h:10: char sun_path[UNIX_PATH_MAX]; /* pathname */

Several points to improve:
- libosmo-abis: e1_input_vty.c: 1 is at most 107 chars (+1 '\0'">DEFUN, otherwise return warning.
- libosmo-abis: unixsocket.c: unixsocket_line_update: Use UNIX_PATH_MAX instead of PATH_MAX, which is too big.

Bonus: Grep in all projects which use "osmo_sock_unix_init" function, and make sure the same validations are applied during vty parsing.

History

#1 Updated by pespin 8 months ago

  • Description updated (diff)

#2 Updated by laforge about 2 months ago

  • Tags set to E1

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)