[issue8372] socket: Buffer overrun while reading unterminated AF_UNIX addresses

Changes by Mark Lawrence : -- nosy: -BreamoreBoy ___ Python tracker ___ ___

[issue8372] socket: Buffer overrun while reading unterminated AF_UNIX addresses

Changes by Christian Heimes : -- versions: +Python 3.6, Python 3.7 -Python 2.6, Python 3.2, Python 3.3 ___ Python tracker ___

[issue8372] socket: Buffer overrun while reading unterminated AF_UNIX addresses

David Watson added the comment: Attaching patches for 3.5. -- Added file: http://bugs.python.org/file39309/enable-unterminated-3.5-2015-05-06.diff Added file: http://bugs.python.org/file39310/fix-overrun-3.5-2015-05-06.diff ___ Python tracker

[issue8372] socket: Buffer overrun while reading unterminated AF_UNIX addresses

David Watson added the comment: I've rebased the patches onto all the currently released branches, but since there are now so many variations required, I've bundled the pass-unterminated and test patches into a single set (enable-unterminated-*), and the return-unterminated and

[issue8372] socket: Buffer overrun while reading unterminated AF_UNIX addresses

Mark Lawrence added the comment: As this is flagged as a high priority security issue shouldn't we be implementing needed source code changes? According to msg138224 The patches look good to me. -- nosy: +BreamoreBoy versions: +Python 3.5 ___

[issue8372] socket: Buffer overrun while reading unterminated AF_UNIX addresses

Changes by Serhiy Storchaka storch...@gmail.com: -- versions: +Python 3.4 -Python 3.1 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue8372 ___ ___

[issue8372] socket: Buffer overrun while reading unterminated AF_UNIX addresses

David Watson bai...@users.sourceforge.net added the comment: On Sun 12 Jun 2011, Charles-François Natali wrote: The patches look good to me, except that instead of passing (addrlen buflen) ? buflen : addrlen as addrlen argument every time makesockaddr is called, I'd prefer if this min was

[issue8372] socket: Buffer overrun while reading unterminated AF_UNIX addresses

Terry J. Reedy tjre...@udel.edu added the comment: Is this a security issue or just a regular bug? -- nosy: +terry.reedy ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue8372 ___

[issue8372] socket: Buffer overrun while reading unterminated AF_UNIX addresses

Antoine Pitrou pit...@free.fr added the comment: It's a potential security issue. -- nosy: +neologix, rosslagerwall versions: +Python 3.3 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue8372

[issue8372] socket: Buffer overrun while reading unterminated AF_UNIX addresses

Changes by Terry J. Reedy tjre...@udel.edu: -- type: behavior - security ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue8372 ___ ___

[issue8372] socket: Buffer overrun while reading unterminated AF_UNIX addresses

Charles-François Natali neolo...@free.fr added the comment: The patches look good to me, except that instead of passing (addrlen buflen) ? buflen : addrlen as addrlen argument every time makesockaddr is called, I'd prefer if this min was done inside makesockaddr itself, i.e. perform

[issue8372] socket: Buffer overrun while reading unterminated AF_UNIX addresses

Martin v. Löwis mar...@v.loewis.de added the comment: I see. Looking at net/unix/af_unix.c:unix_mkname of Linux 2.6, there is a comment that says Check unix socket name: [...] - if started by not zero, should be NULL terminated (FS object) However, the code then just does /* * This

[issue8372] socket: Buffer overrun while reading unterminated AF_UNIX addresses

David Watson bai...@users.sourceforge.net added the comment: With all the effort that went into the patch, I recommend to get it right: if there is space for the \0, include it. If the string size is exactly 108, and it's linux, write it unterminated. Else fail. As for testing: we should

[issue8372] socket: Buffer overrun while reading unterminated AF_UNIX addresses

David Watson bai...@users.sourceforge.net added the comment: I meant to say that FreeBSD provides the SUN_LEN macro, but it turns out that Linux does as well, and its version behaves the same as FreeBSD's. The FreeBSD man pages state that the terminating null is not part of the address:

[issue8372] socket: Buffer overrun while reading unterminated AF_UNIX addresses

Martin v. Löwis mar...@v.loewis.de added the comment: The examples in Stevens/Rago's Advanced Programming in the Unix Environment also pass address lengths to bind(), etc. that do not include the null. I didn't (mean to) suggest that the null must be included in the length - only that it

[issue8372] socket: Buffer overrun while reading unterminated AF_UNIX addresses

David Watson bai...@users.sourceforge.net added the comment: I've updated the PEP 383 patches at issue #8373 with separate versions for if the linux-pass-unterminated patch is applied or not. If it's not essential to have unit tests for the overrun issue, I'd suggest applying just the

[issue8372] socket: Buffer overrun while reading unterminated AF_UNIX addresses

David Watson bai...@users.sourceforge.net added the comment: baikie, coming back to your original message: what precisely makes you believe that sun_path does not need to be null-terminated on Linux? That's the way I demonstrated the bug - the only way to bind to a 108-byte path is to pass

[issue8372] socket: Buffer overrun while reading unterminated AF_UNIX addresses

David Watson bai...@users.sourceforge.net added the comment: baikie: why did the test pass for you? The test passes (I assume) if linux-pass-unterminated.diff is applied. The latter patch is only meant to exhibit the issue, though, not to be checked in. No, I meant for

[issue8372] socket: Buffer overrun while reading unterminated AF_UNIX addresses

Martin v. Löwis mar...@v.loewis.de added the comment: baikie, coming back to your original message: what precisely makes you believe that sun_path does not need to be null-terminated on Linux? -- ___ Python tracker rep...@bugs.python.org

[issue8372] socket: Buffer overrun while reading unterminated AF_UNIX addresses

Antoine Pitrou pit...@free.fr added the comment: With the patches applied except linux-pass-unterminated.diff, I get the following test failure: == ERROR: testMaxPathLen (test.test_socket.TestLinuxPathLen)

[issue8372] socket: Buffer overrun while reading unterminated AF_UNIX addresses

Martin v. Löwis mar...@v.loewis.de added the comment: I guess this test should simply removed. (not sure which test you are referring to: the test case, or the test for too long path names:) I think both tests need to stay. Instead, I think that testMaxPathLen is incorrect: it doesn't take

[issue8372] socket: Buffer overrun while reading unterminated AF_UNIX addresses

Antoine Pitrou pit...@free.fr added the comment: baikie: why did the test pass for you? The test passes (I assume) if linux-pass-unterminated.diff is applied. The latter patch is only meant to exhibit the issue, though, not to be checked in. --

[issue8372] socket: Buffer overrun while reading unterminated AF_UNIX addresses

David Watson bai...@users.sourceforge.net added the comment: Attaching the C test programs I forgot to attach yesterday - sorry about that. I've also tried these programs, and the patches, on FreeBSD 5.3 (an old version from late 2004). I found that it accepted unterminated addresses as well,

[issue8372] socket: Buffer overrun while reading unterminated AF_UNIX addresses

Changes by David Watson bai...@users.sourceforge.net: Added file: http://bugs.python.org/file16899/accept.c ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue8372 ___

[issue8372] socket: Buffer overrun while reading unterminated AF_UNIX addresses

New submission from David Watson bai...@users.sourceforge.net: The makesockaddr() function in the socket module assumes that AF_UNIX addresses have a null-terminated sun_path, but Linux actually allows unterminated addresses using all 108 bytes of sun_path (for normal filesystem sockets, that

[issue8372] socket: Buffer overrun while reading unterminated AF_UNIX addresses

Changes by David Watson bai...@users.sourceforge.net: Added file: http://bugs.python.org/file16875/return-unterminated-2.x.diff ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue8372 ___

[issue8372] socket: Buffer overrun while reading unterminated AF_UNIX addresses

Changes by David Watson bai...@users.sourceforge.net: Added file: http://bugs.python.org/file16876/return-unterminated-3.x.diff ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue8372 ___

[issue8372] socket: Buffer overrun while reading unterminated AF_UNIX addresses

Changes by David Watson bai...@users.sourceforge.net: Added file: http://bugs.python.org/file16877/addrlen-2.x.diff ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue8372 ___

[issue8372] socket: Buffer overrun while reading unterminated AF_UNIX addresses

Changes by David Watson bai...@users.sourceforge.net: Added file: http://bugs.python.org/file16878/addrlen-3.x.diff ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue8372 ___

[issue8372] socket: Buffer overrun while reading unterminated AF_UNIX addresses

Changes by David Watson bai...@users.sourceforge.net: Added file: http://bugs.python.org/file16879/test-2.x.diff ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue8372 ___

[issue8372] socket: Buffer overrun while reading unterminated AF_UNIX addresses

Changes by David Watson bai...@users.sourceforge.net: Added file: http://bugs.python.org/file16880/test-3.x.diff ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue8372 ___

[issue8372] socket: Buffer overrun while reading unterminated AF_UNIX addresses

Changes by Antoine Pitrou pit...@free.fr: -- nosy: +haypo, loewis priority: - high stage: - patch review versions: -Python 2.5, Python 3.3 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue8372