Page MenuHomeFreeBSD
Differential D10519

Check the setsockop value size passed by the user before copying it in.
AbandonedPublic
Actions

Authored by brooks on Apr 27 2017, 4:15 AM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, Jun 23, 3:44 PM
Unknown Object (File)
Dec 23 2023, 8:48 AM
Unknown Object (File)
Nov 27 2023, 12:47 PM
Unknown Object (File)
Sep 21 2023, 5:31 PM
Unknown Object (File)
Sep 11 2023, 4:44 AM
Unknown Object (File)
Aug 19 2023, 2:09 PM
Subscribers
None

Details

Reviewers
asomers
ngie
Group Reviewers
network
Summary

The current sockoption processing code completely ignores the size of
the passed option when copying it in. This change rejects sizes that
aren't exactly what is expected to prevent bugs like passing size_t
where int is meant.

Test Plan

We should write tests to pass nonsense sizes.

Diff Detail

Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 8929
Build 9319: arc lint + arc unit

Event Timeline

brooks created this revision.Apr 27 2017, 4:15 AM
Harbormaster completed remote builds in B8929: Diff 27772.Apr 27 2017, 4:15 AM
brooks mentioned this in D10518: Don't pass size_t arguments to setsockopt(SO_SNDBUF/SO_RCVBUF)..Apr 27 2017, 4:16 AM
ngie requested changes to this revision.Apr 27 2017, 6:48 AM

net@ should be CCed on this

Should this logic be shoved into sooptcopyin, given that the appropriate lengths are passed in (just to avoid unnecessary duplication)?

sys/kern/uipc_socket.c
2681

Why not remove this, then remove the surrounding braces in the new code?

This revision now requires changes to proceed.Apr 27 2017, 6:48 AM
brooks added a comment.Apr 27 2017, 3:56 PM
In D10519#217948, @ngie wrote:

Should this logic be shoved into sooptcopyin, given that the appropriate lengths are passed in (just to avoid unnecessary duplication)?

sooptcopyin has different and incompatible length checking (even if called with the available length it wouldn't return an error when a size_t is passed in place of an int). We should be calling it correctly, but that won't fix this bug.

sys/kern/uipc_socket.c
2681

What do you refer to by "this"?

brooks added a reviewer: network.Apr 27 2017, 3:56 PM
brooks added a comment.Apr 27 2017, 4:10 PM
In D10519#218051, @brooks wrote:
In D10519#217948, @ngie wrote:

Should this logic be shoved into sooptcopyin, given that the appropriate lengths are passed in (just to avoid unnecessary duplication)?

sooptcopyin has different and incompatible length checking (even if called with the available length it wouldn't return an error when a size_t is passed in place of an int). We should be calling it correctly, but that won't fix this bug.

Upon further reflection, I think we are calling sooptcopyin correctly, it just has a weird interface that isn't what we want here. A sensible approach might be to create an sooptcopyin_exact.

brooks abandoned this revision.Apr 27 2017, 5:40 PM

I believe this is the wrong approach, the right approach is likely a sooptcopyin_exact or sooptcopyin_flag. I've submitted https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=218919 to track this issue.

Revision Contents
Changeset List

PathSize
sys/
kern/
38 lines

Diff 27772

View Options

sys/kern/uipc_socket.c

Loading...