From: Vladislav Shpilevoy <v.shpilevoy@tarantool.org> To: Sergey Ostanevich <sergos@tarantool.org>, tarantool-patches@dev.tarantool.org Subject: Re: [Tarantool-patches] [PATCH] core: fix static_alloc buffer overflow Date: Sat, 31 Oct 2020 17:33:20 +0100 [thread overview] Message-ID: <429b3e4d-490d-ea88-946a-fc0487f9e46a@tarantool.org> (raw) In-Reply-To: <FBB23D13-1A0D-4C92-918A-EB2995E2CB17@tarantool.org> Hi! Thanks for the patch! On 23.10.2020 17:13, Sergey Ostanevich wrote: > Static buffer overflow in thread local pool causes random fails on OSX > platform. This was caused by an incorrect use of the allocator result: > the snprintf returns the full size of the formatted string, rather the > number of bytes written. > > Fixes #5312 > > Branch: https://github.com/tarantool/tarantool/tree/sergos/gh-5312-crash-in-libeio > Issue: https://github.com/tarantool/tarantool/issues/5312 > > --- > src/lib/core/sio.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/src/lib/core/sio.c b/src/lib/core/sio.c > index 97a512eee..44f952c7c 100644 > --- a/src/lib/core/sio.c > +++ b/src/lib/core/sio.c > @@ -53,15 +53,15 @@ sio_socketname(int fd) > int save_errno = errno; > int name_size = 2 * SERVICE_NAME_MAXLEN; > char *name = static_alloc(name_size); > - int n = snprintf(name, name_size, "fd %d", fd); > + int n = MIN(snprintf(name, name_size, "fd %d", fd), name_size); > if (fd >= 0) { > struct sockaddr_storage addr; > socklen_t addrlen = sizeof(addr); > int rc = getsockname(fd, (struct sockaddr *) &addr, &addrlen); > if (rc == 0) { > - n += snprintf(name + n, name_size - n, ", aka %s", > + n += MIN(snprintf(name + n, name_size - n, ", aka %s", > sio_strfaddr((struct sockaddr *)&addr, > - addrlen)); > + addrlen)), name_size - n); After thinking more I realized it is not entirely correct. MIN(a, b) = ((a) < (b) ? (a) : (b)). It means, that either 'a' or 'b' is executed twice. If 'a' is the big snprintf above, it is also executed twice. So you can't really use MIN right away. I reworked the patch to use an existing macro - SNPRINT. See the new patch below and on the branch in a separate commit. I added a new function, because SNPRINT returns -1 in case of print function fail. ==================== diff --git a/src/lib/core/sio.c b/src/lib/core/sio.c index 44f952c7c..d008526d5 100644 --- a/src/lib/core/sio.c +++ b/src/lib/core/sio.c @@ -46,6 +46,33 @@ static_assert(SMALL_STATIC_SIZE > NI_MAXHOST + NI_MAXSERV, "static buffer should fit host name"); +/** + * Safely print a socket description to the given buffer, with correct overflow + * checks and all. + */ +static int +sio_socketname_to_buffer(int fd, char *buf, int size) +{ + int n = 0; + SNPRINT(n, snprintf, buf, size, "fd %d", fd); + if (fd < 0) + return 0; + struct sockaddr_storage addr; + socklen_t addrlen = sizeof(addr); + int rc = getsockname(fd, (struct sockaddr *) &addr, &addrlen); + if (rc == 0) { + SNPRINT(n, snprintf, buf, size, ", aka %s", + sio_strfaddr((struct sockaddr *)&addr, addrlen)); + } + addrlen = sizeof(addr); + rc = getpeername(fd, (struct sockaddr *) &addr, &addrlen); + if (rc == 0) { + SNPRINT(n, snprintf, buf, size, ", peer of %s", + sio_strfaddr((struct sockaddr *)&addr, addrlen)); + } + return 0; +} + const char * sio_socketname(int fd) { @@ -53,25 +80,13 @@ sio_socketname(int fd) int save_errno = errno; int name_size = 2 * SERVICE_NAME_MAXLEN; char *name = static_alloc(name_size); - int n = MIN(snprintf(name, name_size, "fd %d", fd), name_size); - if (fd >= 0) { - struct sockaddr_storage addr; - socklen_t addrlen = sizeof(addr); - int rc = getsockname(fd, (struct sockaddr *) &addr, &addrlen); - if (rc == 0) { - n += MIN(snprintf(name + n, name_size - n, ", aka %s", - sio_strfaddr((struct sockaddr *)&addr, - addrlen)), name_size - n); - } - addrlen = sizeof(addr); - rc = getpeername(fd, (struct sockaddr *) &addr, &addrlen); - if (rc == 0) { - n += snprintf(name + n, name_size - n, - ", peer of %s", - sio_strfaddr((struct sockaddr *)&addr, - addrlen)); - } - } + int rc = sio_socketname_to_buffer(fd, name, name_size); + /* + * Could fail only because of a bad format in snprintf, but it is not + * bad, so should not fail. + */ + assert(rc == 0); + (void)rc; /* * Restore the original errno, it might have been reset by * snprintf() or getsockname().
next prev parent reply other threads:[~2020-10-31 16:33 UTC|newest] Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top 2020-10-23 15:13 Sergey Ostanevich 2020-10-23 20:06 ` Vladislav Shpilevoy 2020-10-29 22:56 ` Vladislav Shpilevoy 2020-10-30 7:07 ` Cyrill Gorcunov 2020-10-31 16:33 ` Vladislav Shpilevoy [this message] 2020-11-02 13:19 ` Sergey Ostanevich 2020-11-02 21:09 ` Vladislav Shpilevoy 2020-11-02 21:18 ` Cyrill Gorcunov 2020-11-02 21:43 ` Vladislav Shpilevoy 2020-11-02 21:47 ` Cyrill Gorcunov 2020-11-03 13:59 ` Sergey Ostanevich 2020-11-03 14:08 ` Cyrill Gorcunov 2020-11-03 22:59 ` Vladislav Shpilevoy
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=429b3e4d-490d-ea88-946a-fc0487f9e46a@tarantool.org \ --to=v.shpilevoy@tarantool.org \ --cc=sergos@tarantool.org \ --cc=tarantool-patches@dev.tarantool.org \ --subject='Re: [Tarantool-patches] [PATCH] core: fix static_alloc buffer overflow' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox