[issue8372] socket: Buffer overrun while reading unterminated AF_UNIX addresses
David Watson
report at bugs.python.org
Sun Sep 12 21:48:25 CEST 2010
David Watson <baikie at users.sourceforge.net> added the comment:
> With all the effort that went into the patch, I recommend to get it right: if there is space for the \0, include it. If the string size is exactly 108, and it's linux, write it unterminated. Else fail.
>
> As for testing: we should then definitely have a test that, if you can create an 108 byte unix socket that its socket name is what we said it should be.
The attached patches do those things, if I understand you
correctly (the test patches add such a test for Linux, and
linux-pass-unterminated uses memset() to zero out the area
between the end of the actual path and the end of the sun_path
array).
If you're talking about including the null in the address passed
to the system call, that does no harm on Linux, but I think the
more common practice is not to include it. The FreeBSD SUN_LEN
macro, for instance, is provided to calculate the address length
and does not include the null.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue8372>
_______________________________________
More information about the Python-bugs-list
mailing list