From: David Gibson <david@gibson.dropbear.id.au>
To: Stefano Brivio <sbrivio@redhat.com>, passt-dev@passt.top
Cc: David Gibson <david@gibson.dropbear.id.au>
Subject: [PATCH 3/4] passt-repair: Improve validation of anciliary data length
Date: Fri, 21 Feb 2025 17:50:09 +1100 [thread overview]
Message-ID: <20250221065010.3681262-4-david@gibson.dropbear.id.au> (raw)
In-Reply-To: <20250221065010.3681262-1-david@gibson.dropbear.id.au>
At present we use a rather awkward loop to invert CMSG_LEN() in order to
determine how many fds we have been passed as anciliary data. We can do
a bit better with some pointer trickery. This also lets us validate the
number of fds we've been passed a bit more naturally.
While we're there, allow an empty message (n == 0) because why not.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
---
passt-repair.c | 26 +++++++-------------------
1 file changed, 7 insertions(+), 19 deletions(-)
diff --git a/passt-repair.c b/passt-repair.c
index 3c358e27..64b926bd 100644
--- a/passt-repair.c
+++ b/passt-repair.c
@@ -77,7 +77,7 @@ int main(int argc, char **argv)
struct cmsghdr *cmsg;
struct msghdr msg;
struct iovec iov;
- size_t cmsg_len;
+ size_t fdlen;
int op;
prctl(PR_SET_DUMPABLE, 0);
@@ -122,27 +122,15 @@ loop:
if (!ret) /* Done */
_exit(0);
- if (!cmsg ||
- cmsg->cmsg_len < CMSG_LEN(sizeof(int)) ||
- cmsg->cmsg_len > CMSG_LEN(sizeof(int) * SCM_MAX_FD) ||
- cmsg->cmsg_type != SCM_RIGHTS)
+ if (!cmsg || cmsg->cmsg_type != SCM_RIGHTS)
die(1, "No/bad ancillary data from peer");
- /* No inverse formula for CMSG_LEN(x), and building one with CMSG_LEN(0)
- * works but there's no guarantee it does. Search the whole domain.
- */
- for (i = 1; i <= SCM_MAX_FD; i++) {
- if (CMSG_LEN(sizeof(int) * i) == cmsg->cmsg_len) {
- n = i;
- break;
- }
- }
- if (!n) {
- cmsg_len = cmsg->cmsg_len; /* socklen_t is 'unsigned' on musl */
- die(1, "Invalid ancillary data length %zu from peer", cmsg_len);
- }
+ fdlen = ((char *)cmsg + cmsg->cmsg_len) - (char *)CMSG_DATA(cmsg);
+ if (fdlen % sizeof(int) != 0 || fdlen > sizeof(fds))
+ die(1, "Invalid SCM_RIGHTS payload length %zu from peer", fdlen);
+ n = fdlen / sizeof(int);
- memcpy(fds, CMSG_DATA(cmsg), sizeof(int) * n);
+ memcpy(fds, CMSG_DATA(cmsg), fdlen);
if (cmd != TCP_REPAIR_ON && cmd != TCP_REPAIR_OFF &&
cmd != TCP_REPAIR_OFF_NO_WP)
--
@@ -77,7 +77,7 @@ int main(int argc, char **argv)
struct cmsghdr *cmsg;
struct msghdr msg;
struct iovec iov;
- size_t cmsg_len;
+ size_t fdlen;
int op;
prctl(PR_SET_DUMPABLE, 0);
@@ -122,27 +122,15 @@ loop:
if (!ret) /* Done */
_exit(0);
- if (!cmsg ||
- cmsg->cmsg_len < CMSG_LEN(sizeof(int)) ||
- cmsg->cmsg_len > CMSG_LEN(sizeof(int) * SCM_MAX_FD) ||
- cmsg->cmsg_type != SCM_RIGHTS)
+ if (!cmsg || cmsg->cmsg_type != SCM_RIGHTS)
die(1, "No/bad ancillary data from peer");
- /* No inverse formula for CMSG_LEN(x), and building one with CMSG_LEN(0)
- * works but there's no guarantee it does. Search the whole domain.
- */
- for (i = 1; i <= SCM_MAX_FD; i++) {
- if (CMSG_LEN(sizeof(int) * i) == cmsg->cmsg_len) {
- n = i;
- break;
- }
- }
- if (!n) {
- cmsg_len = cmsg->cmsg_len; /* socklen_t is 'unsigned' on musl */
- die(1, "Invalid ancillary data length %zu from peer", cmsg_len);
- }
+ fdlen = ((char *)cmsg + cmsg->cmsg_len) - (char *)CMSG_DATA(cmsg);
+ if (fdlen % sizeof(int) != 0 || fdlen > sizeof(fds))
+ die(1, "Invalid SCM_RIGHTS payload length %zu from peer", fdlen);
+ n = fdlen / sizeof(int);
- memcpy(fds, CMSG_DATA(cmsg), sizeof(int) * n);
+ memcpy(fds, CMSG_DATA(cmsg), fdlen);
if (cmd != TCP_REPAIR_ON && cmd != TCP_REPAIR_OFF &&
cmd != TCP_REPAIR_OFF_NO_WP)
--
2.48.1
next prev parent reply other threads:[~2025-02-21 8:19 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-21 6:50 [PATCH 0/4] passt-repair improvements David Gibson
2025-02-21 6:50 ` [PATCH 1/4] passt-repair: Add die() macro David Gibson
2025-02-21 6:50 ` [PATCH 2/4] passt-repair: Consistently avoid strerror() David Gibson
2025-02-21 6:50 ` David Gibson [this message]
2025-02-21 6:50 ` [PATCH 4/4] passt-repair: Allow passt-repair to report partial failures David Gibson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250221065010.3681262-4-david@gibson.dropbear.id.au \
--to=david@gibson.dropbear.id.au \
--cc=passt-dev@passt.top \
--cc=sbrivio@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://passt.top/passt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).