[Tarantool-patches] [PATCH] core: fix static_alloc buffer overflow
Vladislav Shpilevoy
v.shpilevoy at tarantool.org
Tue Nov 3 00:09:29 MSK 2020
> Thanks for the investigation! My bad, I used MIN as a function with
> sematics of all agruments calculated before call. You're right - in case
> of define it can cause a double call.
>
> The SNPRINT although leaves some questions to me: in case 'written' is
> more or equal to 'size', it forces '_buf' to be set to NULL. But in the
> sio_socketname_to_buffer() there's no check for NULL between the calls.
> A call to snprintf() delivers a segfault, at least for Mac.
Woops, SNPRINT is used a lot in the code. If it is true, we need to fix SNPRINT.
> Also, factoring out 18 loc out of a function with a total of 24 seems
> redundant - IMVHO.
With your patch it is also an issue with alignment. See below. I
tried to fix it in-place, but it was too ugly due to too big
indentation.
> --- a/src/lib/core/sio.c
> +++ b/src/lib/core/sio.c
> @@ -53,20 +53,22 @@ sio_socketname(int fd)
> int save_errno = errno;
> int name_size = 2 * SERVICE_NAME_MAXLEN;
> char *name = static_alloc(name_size);
> - int n = snprintf(name, name_size, "fd %d", fd);
> + int to_be_printed = snprintf(name, name_size, "fd %d", fd);
> + int n = MIN(to_be_printed, name_size);
> if (fd >= 0) {
> struct sockaddr_storage addr;
> socklen_t addrlen = sizeof(addr);
> int rc = getsockname(fd, (struct sockaddr *) &addr, &addrlen);
> if (rc == 0) {
> - n += snprintf(name + n, name_size - n, ", aka %s",
> + to_be_printed = snprintf(name + n, name_size - n, ", aka %s",
> sio_strfaddr((struct sockaddr *)&addr,
> addrlen));
Here sio_strfaddr( should get +17 spaces, and that makes it hard
to read. So I extracted everything to a new function with lower
indentation.
More information about the Tarantool-patches
mailing list