kern/54176: getsockopt(2) does not silently truncate returned optval

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/54176: getsockopt(2) does not silently truncate returned optval
From: tho%useless-ficus.net@localhost
Date: Wed, 8 May 2019 11:00:00 +0000 (UTC)

>Number:         54176
>Category:       kern
>Synopsis:       getsockopt(2) does not silently truncate returned optval
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed May 08 11:00:00 +0000 2019
>Originator:     Anthony Mallet
>Release:        -current
>Organization:
>Environment:
NetBSD ficus 8.99.37 NetBSD 8.99.37 (FICUS) #18: Sat Apr 27 15:54:05 WEST 2019
>Description:
Posix getsockopt(2) states that "If the size of the option value is
greater than option_len, the value stored in the object pointed to by
the option_value argument shall be silently truncated."
http://pubs.opengroup.org/onlinepubs/009695399/functions/getsockopt.html

Currently EINVAL is returned instead, which causes issues with e.g.
this code sketch:
  struct tcp_info tcp_info;
  socklen_t len;

  len = sizeof(uint8_t); /* only retrieve conn. state */
  if (getsockopt(fd, IPPROTO_TCP, TCP_INFO, &tcp_info, &len))
    err(2, "getsockopt");

Here is a patch proposal.

>How-To-Repeat:

>Fix:
Index: sys/kern/uipc_socket.c
===================================================================
RCS file: /cvsroot/src/sys/kern/uipc_socket.c,v
retrieving revision 1.278
diff -u -u -r1.278 uipc_socket.c
--- sys/kern/uipc_socket.c	15 Apr 2019 10:53:17 -0000	1.278
+++ sys/kern/uipc_socket.c	8 May 2019 10:48:37 -0000
@@ -2082,11 +2082,8 @@
 			return error;
 	}
 
-	if (sopt->sopt_size < len)
-		return EINVAL;
-
-	memcpy(sopt->sopt_data, buf, len);
-	sopt->sopt_retsize = len;
+	sopt->sopt_retsize = MIN(sopt->sopt_size, len);
+	memcpy(sopt->sopt_data, buf, sopt->sopt_retsize);
 
 	return 0;
 }
@@ -2146,12 +2143,9 @@
 			return error;
 	}
 
-	if (sopt->sopt_size < len)
-		return EINVAL;
-
-	m_copydata(m, 0, len, sopt->sopt_data);
+	sopt->sopt_retsize = MIN(sopt->sopt_size, len);
+	m_copydata(m, 0, sopt->sopt_retsize, sopt->sopt_data);
 	m_freem(m);
-	sopt->sopt_retsize = len;
 
 	return 0;
 }

Prev by Date: PR/54153 CVS commit: src/sys/arch/arm/sunxi
Next by Date: Re: lib/54001 (call_once2_32, call_once2_static test cases failing on amd64 since gcc7 import)
Previous by Thread: PR/54153 CVS commit: src/sys/arch/arm/sunxi
Next by Thread: PR/54176 CVS commit: src/sys/kern
Indexes:

Home | Main Index | Thread Index | Old Index