* [PATCH] passt-repair: Fix calculation of payload length from cmsg_len
@ 2025-02-07 0:57 Stefano Brivio
0 siblings, 0 replies; only message in thread
From: Stefano Brivio @ 2025-02-07 0:57 UTC (permalink / raw)
To: passt-dev; +Cc: David Gibson
There's no inverse function for CMSG_LEN(), so we need to loop over
SCM_MAX_FD (253) possible input values. The previous calculation is
clearly wrong, as not every int takes CMSG_LEN(sizeof(int)) in cmsg
data.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
passt-repair.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
diff --git a/passt-repair.c b/passt-repair.c
index d137a18..5ad5c9c 100644
--- a/passt-repair.c
+++ b/passt-repair.c
@@ -57,7 +57,7 @@ int main(int argc, char **argv)
char buf[CMSG_SPACE(sizeof(int) * SCM_MAX_FD)]
__attribute__ ((aligned(__alignof__(struct cmsghdr))));
struct sockaddr_un a = { AF_UNIX, "" };
- int fds[SCM_MAX_FD], s, ret, i, n;
+ int fds[SCM_MAX_FD], s, ret, i, n = 0;
struct sock_fprog prog;
int8_t cmd = INT8_MAX;
struct cmsghdr *cmsg;
@@ -127,7 +127,21 @@ loop:
_exit(1);
}
- n = cmsg->cmsg_len / CMSG_LEN(sizeof(int));
+ /* No inverse formula for CMSG_LEN(x), and building one with CMSG_LEN(0)
+ * works but there's no guarantee it does. Search the whole domain.
+ */
+ for (i = 1; i < SCM_MAX_FD; i++) {
+ if (CMSG_LEN(sizeof(int) * i) == cmsg->cmsg_len) {
+ n = i;
+ break;
+ }
+ }
+ if (!n) {
+ fprintf(stderr, "Invalid ancillary data length %zu from peer\n",
+ cmsg->cmsg_len);
+ _exit(1);
+ }
+
memcpy(fds, CMSG_DATA(cmsg), sizeof(int) * n);
if (cmd != TCP_REPAIR_ON && cmd != TCP_REPAIR_OFF &&
--
@@ -57,7 +57,7 @@ int main(int argc, char **argv)
char buf[CMSG_SPACE(sizeof(int) * SCM_MAX_FD)]
__attribute__ ((aligned(__alignof__(struct cmsghdr))));
struct sockaddr_un a = { AF_UNIX, "" };
- int fds[SCM_MAX_FD], s, ret, i, n;
+ int fds[SCM_MAX_FD], s, ret, i, n = 0;
struct sock_fprog prog;
int8_t cmd = INT8_MAX;
struct cmsghdr *cmsg;
@@ -127,7 +127,21 @@ loop:
_exit(1);
}
- n = cmsg->cmsg_len / CMSG_LEN(sizeof(int));
+ /* No inverse formula for CMSG_LEN(x), and building one with CMSG_LEN(0)
+ * works but there's no guarantee it does. Search the whole domain.
+ */
+ for (i = 1; i < SCM_MAX_FD; i++) {
+ if (CMSG_LEN(sizeof(int) * i) == cmsg->cmsg_len) {
+ n = i;
+ break;
+ }
+ }
+ if (!n) {
+ fprintf(stderr, "Invalid ancillary data length %zu from peer\n",
+ cmsg->cmsg_len);
+ _exit(1);
+ }
+
memcpy(fds, CMSG_DATA(cmsg), sizeof(int) * n);
if (cmd != TCP_REPAIR_ON && cmd != TCP_REPAIR_OFF &&
--
2.43.0
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2025-02-07 0:57 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-02-07 0:57 [PATCH] passt-repair: Fix calculation of payload length from cmsg_len Stefano Brivio
Code repositories for project(s) associated with this public inbox
https://passt.top/passt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).