[PATCH] lib: Fix uninitialized read in msghdr_copy - causes LOCAL-MESSAGING-FDPASS2 to hang
Volker Lendecke
Volker.Lendecke at SerNet.DE
Wed Jun 8 12:38:27 UTC 2016
On Tue, Jun 07, 2016 at 12:55:51PM -0700, Jeremy Allison wrote:
> On Tue, Jun 07, 2016 at 12:14:20PM -0700, Jeremy Allison wrote:
> > I think the bug here is having the msg_controllen field
> > nulled out... still investigating.
>
> Found it. msghdr_copy() can be called with a first argument
> of msg == NULL, when you're trying to find the size.
>
> Then we call
>
> fd_len = msghdr_prep_fds(&msg->msg, msg->buf, bufsize, fds, num_fds);
>
> without checking that msg == NULL. We seem to get away with this
> as inside msghdr_prep_fds() we check for msg == NULL before
> indirecting msg, although I would have thought the compiler
> would cause a crash due to the &msg->msg, msg->buf parameter,
> but apparently not :-).
>
> When msghdr_copy() is called with non-null then msghdr_prep_fds()
> calculates the correct size and sets up msg->msg_controllen for
> the fd array - but that gets zero'ed out with the original
>
> msg->msg = (struct msghdr) {};
>
> change. Fixed version attached.
>
> Please confirm and push if happy.
Thanks a lot! Pushed with some slight reformatting.
Sorry for not following up, I'm really busy these days.
Volker
--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de
SerNet & BSI laden ein: 29. Juni 2016,
2. IT-Grundschutztag 2016, BPA Berlin.
Anmeldung: https://www.sernet.de/gstag
More information about the samba-technical
mailing list