From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au Authentication-Results: passt.top; dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202502 header.b=f4dZ11kT; dkim-atps=neutral Received: from mail.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3]) by passt.top (Postfix) with ESMTPS id 6812D5A062A for ; Fri, 21 Feb 2025 09:19:52 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=202502; t=1740125982; bh=yza3+urrl71lTcMmTIqG+y9VjFHQ0WWFKq2CNsa9eIM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=f4dZ11kT3XTZhm8UeehpvRXTS/WmJcobAeMEAZ9eIXBp6BnDPjSvPGyMCd53b/IOK OGe4etieZE8egHq0QWW72+895esa7pMlcbmDgZco/DGlkxzWZuVSMoR44cl4ZP8tYt RRJfT8TuSC3Gi05ufsPiuu03vgw0jlyWZkeknhfLk6T19YSXspklhofn4+5DYpkBDc nb0R6v1VxvWx9Cx4irK7xZVZvafGk5EXsR+w5F1WMmGjP5l/pBHVJryQ676mQUkXmS 3gQ2bSK1EBg8PttyHhR6ucCxdLcz2sgRaG/gkUeaHtL7LEB/a5v56zPP02GWJzBSYK EIeeRai9sUIlg== Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4YzjjB6kzRz4x0t; Fri, 21 Feb 2025 19:19:42 +1100 (AEDT) From: David Gibson To: Stefano Brivio , passt-dev@passt.top Subject: [PATCH 3/4] passt-repair: Improve validation of anciliary data length Date: Fri, 21 Feb 2025 17:50:09 +1100 Message-ID: <20250221065010.3681262-4-david@gibson.dropbear.id.au> X-Mailer: git-send-email 2.48.1 In-Reply-To: <20250221065010.3681262-1-david@gibson.dropbear.id.au> References: <20250221065010.3681262-1-david@gibson.dropbear.id.au> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID-Hash: 2EGMHQUITBVHJ3WMF7VK6E7QOOUXLA7I X-Message-ID-Hash: 2EGMHQUITBVHJ3WMF7VK6E7QOOUXLA7I X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: David Gibson X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: At present we use a rather awkward loop to invert CMSG_LEN() in order to determine how many fds we have been passed as anciliary data. We can do a bit better with some pointer trickery. This also lets us validate the number of fds we've been passed a bit more naturally. While we're there, allow an empty message (n == 0) because why not. Signed-off-by: David Gibson --- passt-repair.c | 26 +++++++------------------- 1 file changed, 7 insertions(+), 19 deletions(-) diff --git a/passt-repair.c b/passt-repair.c index 3c358e27..64b926bd 100644 --- a/passt-repair.c +++ b/passt-repair.c @@ -77,7 +77,7 @@ int main(int argc, char **argv) struct cmsghdr *cmsg; struct msghdr msg; struct iovec iov; - size_t cmsg_len; + size_t fdlen; int op; prctl(PR_SET_DUMPABLE, 0); @@ -122,27 +122,15 @@ loop: if (!ret) /* Done */ _exit(0); - if (!cmsg || - cmsg->cmsg_len < CMSG_LEN(sizeof(int)) || - cmsg->cmsg_len > CMSG_LEN(sizeof(int) * SCM_MAX_FD) || - cmsg->cmsg_type != SCM_RIGHTS) + if (!cmsg || cmsg->cmsg_type != SCM_RIGHTS) die(1, "No/bad ancillary data from peer"); - /* No inverse formula for CMSG_LEN(x), and building one with CMSG_LEN(0) - * works but there's no guarantee it does. Search the whole domain. - */ - for (i = 1; i <= SCM_MAX_FD; i++) { - if (CMSG_LEN(sizeof(int) * i) == cmsg->cmsg_len) { - n = i; - break; - } - } - if (!n) { - cmsg_len = cmsg->cmsg_len; /* socklen_t is 'unsigned' on musl */ - die(1, "Invalid ancillary data length %zu from peer", cmsg_len); - } + fdlen = ((char *)cmsg + cmsg->cmsg_len) - (char *)CMSG_DATA(cmsg); + if (fdlen % sizeof(int) != 0 || fdlen > sizeof(fds)) + die(1, "Invalid SCM_RIGHTS payload length %zu from peer", fdlen); + n = fdlen / sizeof(int); - memcpy(fds, CMSG_DATA(cmsg), sizeof(int) * n); + memcpy(fds, CMSG_DATA(cmsg), fdlen); if (cmd != TCP_REPAIR_ON && cmd != TCP_REPAIR_OFF && cmd != TCP_REPAIR_OFF_NO_WP) -- 2.48.1