On Wed, Sep 01, 2021 at 04:16:24PM +0300, Michael Tokarev wrote: > Commit 4cfd970ec188558daa6214f26203fe553fb1e01f added an > assert which ensures the path within an address of a unix > socket returned from the kernel is at least one byte and > does not exceed sun_path buffer. Both of this constraints > are wrong: > > A unix socket can be unnamed, in this case the path is > completely empty (not even \0) > > And some implementations (notable linux) can add extra > trailing byte (\0) _after_ the sun_path buffer if we > passed buffer larger than it (and we do). > > So remove the assertion (since it causes real-life breakage) > but at the same time fix the usage of sun_path. Namely, > we should not access sun_path[0] if kernel did not return > it at all (this is the case for unnamed sockets), > and use the returned salen when copyig actual path as an > upper constraint for the amount of bytes to copy - this > will ensure we wont exceed the information provided by > the kernel, regardless whenever there is a trailing \0 > or not. This also helps with unnamed sockets. > > Note the case of abstract socket, the sun_path is actually > a blob and can contain \0 characters, - it should not be > passed to g_strndup and the like, it should be accessed by > memcpy-like functions. > > Fixes: 4cfd970ec188558daa6214f26203fe553fb1e01f > Fixes: http://bugs.debian.org/993145 > Signed-off-by: Michael Tokarev <m...@tls.msk.ru> > CC: qemu-sta...@nongnu.org > --- > util/qemu-sockets.c | 13 +++++-------- > 1 file changed, 5 insertions(+), 8 deletions(-)
Reviewed-by: Daniel P. Berrangé <berra...@redhat.com> Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
