[Tarantool-patches] [PATCH] app: verify unix socket path length in socket.tcp_server()

[Tarantool-patches] [PATCH] app: verify unix socket path length in socket.tcp_server()

[Chris Sosnin]

Providing socket pathname longer than UNIX_PATH_MAX to socket.tcp_server()
will not cause any error, lbox_socket_local_resolve will just truncate the
name according to the limit, causing bad behavior (tarantool will try to
access a socket, which doesn't exist). Thus, let's verify, that pathname
can fit into buffer.

Closes #4634
---
branch: https://github.com/tarantool/tarantool/tree/ksosnin/gh-4634-verify-socket-path-length
issue: https://github.com/tarantool/tarantool/issues/4634

The issue itself already contains the fix, I just added the test and
dropped the following comment from the code:
+               /*
+                * sun_path doesn't have to be null-terminated on
+                * Linux, but we ensure it is so for maximum
+                * portability.
+                */

According to unix(7):

 Pathname sockets
       When binding a socket to a pathname, a few rules should be observed
       for maximum portability and ease of coding:

       *  The pathname in sun_path should be null-terminated.

So such comment (at least for me) would rather be confusing.
 src/lua/socket.c         | 3 ++-
 test/app/socket.result   | 8 ++++++++
 test/app/socket.test.lua | 4 ++++
 3 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/src/lua/socket.c b/src/lua/socket.c
index 130378caf..e75a8802e 100644
--- a/src/lua/socket.c
+++ b/src/lua/socket.c
@@ -403,7 +403,8 @@ lbox_socket_local_resolve(const char *host, const char *port,
 {
 	if (strcmp(host, "unix/") == 0) {
 		struct sockaddr_un *uaddr = (struct sockaddr_un *) addr;
-		if (*socklen < sizeof(*uaddr)) {
+		if (*socklen < sizeof(*uaddr) ||
+		    strlen(port) >= sizeof(uaddr->sun_path)) {
 			errno = ENOBUFS;
 			return -1;
 		}
diff --git a/test/app/socket.result b/test/app/socket.result
index 9829df138..f47d06935 100644
--- a/test/app/socket.result
+++ b/test/app/socket.result
@@ -1614,6 +1614,14 @@ socket.getaddrinfo('host', 'port', { flags = 'WRONG' }) == nil and errno() == er
 ---
 - true
 ...
+-- gh-4634: verify socket path length in socket.tcp_server.
+long_port = string.rep('a', 110)
+---
+...
+socket.tcp_server('unix/', long_port, function(s) end) == errno.ENOBUF
+---
+- true
+...
 -- gh-574: check that fiber with getaddrinfo can be safely cancelled
 test_run:cmd("setopt delimiter ';'")
 ---
diff --git a/test/app/socket.test.lua b/test/app/socket.test.lua
index af926c35b..e303d3743 100644
--- a/test/app/socket.test.lua
+++ b/test/app/socket.test.lua
@@ -531,6 +531,10 @@ socket.getaddrinfo('host', 'port', { family = 'WRONG' }) == nil and errno() == e
 socket.getaddrinfo('host', 'port', { protocol = 'WRONG' }) == nil and errno() == errno.EPROTOTYPE
 socket.getaddrinfo('host', 'port', { flags = 'WRONG' }) == nil and errno() == errno.EINVAL
 
+-- gh-4634: verify socket path length in socket.tcp_server.
+long_port = string.rep('a', 110)
+socket.tcp_server('unix/', long_port, function(s) end) == errno.ENOBUF
+
 -- gh-574: check that fiber with getaddrinfo can be safely cancelled
 test_run:cmd("setopt delimiter ';'")
 f = fiber.create(function()
-- 
2.21.1 (Apple Git-122.3)

Re: [Tarantool-patches] [PATCH] app: verify unix socket path length in socket.tcp_server()

[Vladislav Shpilevoy]

Hi! Thanks for the patch!

> diff --git a/test/app/socket.result b/test/app/socket.result
> index 9829df138..f47d06935 100644
> --- a/test/app/socket.result
> +++ b/test/app/socket.result
> @@ -1614,6 +1614,14 @@ socket.getaddrinfo('host', 'port', { flags = 'WRONG' }) == nil and errno() == er
>  ---
>  - true
>  ...
> +-- gh-4634: verify socket path length in socket.tcp_server.
> +long_port = string.rep('a', 110)
> +---
> +...
> +socket.tcp_server('unix/', long_port, function(s) end) == errno.ENOBUF

Both function result and errno.ENOBUF are nil. No wonder they are equal.

Re: [Tarantool-patches] [PATCH] app: verify unix socket path length in socket.tcp_server()

[Chris Sosnin]

Hi! Thank you for the review!

> 22 февр. 2020 г., в 19:28, Vladislav Shpilevoy <v.shpilevoy@tarantool.org> написал(а):
> 
> Hi! Thanks for the patch!
> 
>> diff --git a/test/app/socket.result b/test/app/socket.result
>> index 9829df138..f47d06935 100644
>> --- a/test/app/socket.result
>> +++ b/test/app/socket.result
>> @@ -1614,6 +1614,14 @@ socket.getaddrinfo('host', 'port', { flags = 'WRONG' }) == nil and errno() == er
>> ---
>> - true
>> ...
>> +-- gh-4634: verify socket path length in socket.tcp_server.
>> +long_port = string.rep('a', 110)
>> +---
>> +...
>> +socket.tcp_server('unix/', long_port, function(s) end) == errno.ENOBUF
> 
> Both function result and errno.ENOBUF are nil. No wonder they are equal.

I’m sorry, I was very careless. The fix is pushed:

+-- gh-4634: verify socket path length in socket.tcp_server.
+long_port = string.rep('a', 110)
+socket.tcp_server('unix/', long_port, function(s) end) == nil and errno() == errno.ENOBUFS

Re: [Tarantool-patches] [PATCH] app: verify unix socket path length in socket.tcp_server()

[Vladislav Shpilevoy]

LGTM.

Re: [Tarantool-patches] [PATCH] app: verify unix socket path length in socket.tcp_server()

[Kirill Yukhin]

Hello,

On 21 фев 15:32, Chris Sosnin wrote:
> Providing socket pathname longer than UNIX_PATH_MAX to socket.tcp_server()
> will not cause any error, lbox_socket_local_resolve will just truncate the
> name according to the limit, causing bad behavior (tarantool will try to
> access a socket, which doesn't exist). Thus, let's verify, that pathname
> can fit into buffer.
> 
> Closes #4634
> ---
> branch: https://github.com/tarantool/tarantool/tree/ksosnin/gh-4634-verify-socket-path-length
> issue: https://github.com/tarantool/tarantool/issues/4634

I've checked your patch into 2.3 and master.

--
Regards, Kirill Yukhin