From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ruby-core-bounces@ruby-lang.org>
X-Original-To: poffice@blade.nagaokaut.ac.jp
Delivered-To: poffice@blade.nagaokaut.ac.jp
Received: from kankan.nagaokaut.ac.jp (kankan.nagaokaut.ac.jp [133.44.2.24])
	by blade.nagaokaut.ac.jp (Postfix) with ESMTP id E7CD819411B1
	for <poffice@blade.nagaokaut.ac.jp>; Wed, 17 Jun 2015 02:59:31 +0900 (JST)
Received: from funfun.nagaokaut.ac.jp (smtp.nagaokaut.ac.jp [133.44.2.201])
	by kankan.nagaokaut.ac.jp (Postfix) with ESMTP id F311DB5D898
	for <poffice@blade.nagaokaut.ac.jp>; Wed, 17 Jun 2015 03:21:54 +0900 (JST)
Received: from funfun.nagaokaut.ac.jp (localhost.nagaokaut.ac.jp [127.0.0.1])
	by funfun.nagaokaut.ac.jp (Postfix) with ESMTP id 338F597A827
	for <poffice@blade.nagaokaut.ac.jp>; Wed, 17 Jun 2015 03:21:55 +0900 (JST)
X-Virus-Scanned: amavisd-new at nagaokaut.ac.jp
Authentication-Results: funfun.nagaokaut.ac.jp (amavisd-new);
	dkim=fail (1024-bit key) reason="fail (message has been altered)"
	header.d=sendgrid.me
Received: from funfun.nagaokaut.ac.jp ([127.0.0.1])
	by funfun.nagaokaut.ac.jp (funfun.nagaokaut.ac.jp [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id iqKpL68ngD-Q for <poffice@blade.nagaokaut.ac.jp>;
	Wed, 17 Jun 2015 03:21:54 +0900 (JST)
Received: from voscc.nagaokaut.ac.jp (voscc.nagaokaut.ac.jp [133.44.1.100])
	by funfun.nagaokaut.ac.jp (Postfix) with ESMTP id B576A97A826
	for <poffice@blade.nagaokaut.ac.jp>; Wed, 17 Jun 2015 03:21:54 +0900 (JST)
Received: from neon.ruby-lang.org (neon.ruby-lang.org [221.186.184.75])
	by voscc.nagaokaut.ac.jp (Postfix) with ESMTP id 8072495243E
	for <poffice@blade.nagaokaut.ac.jp>; Wed, 17 Jun 2015 03:21:54 +0900 (JST)
Received: from [221.186.184.76] (localhost [IPv6:::1])
	by neon.ruby-lang.org (Postfix) with ESMTP id 79548120463;
	Wed, 17 Jun 2015 03:21:51 +0900 (JST)
X-Original-To: ruby-core@ruby-lang.org
Delivered-To: ruby-core@ruby-lang.org
Received: from o2.heroku.sendgrid.net (o2.heroku.sendgrid.net [67.228.50.55])
 by neon.ruby-lang.org (Postfix) with ESMTPS id D63AC120036
 for <ruby-core@ruby-lang.org>; Wed, 17 Jun 2015 03:21:48 +0900 (JST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sendgrid.me; 
 h=from:to:references:subject:mime-version:content-type:content-transfer-encoding:list-id;
 s=smtpapi; bh=EvMDstti7bKtlKzcOnMatR6iSEQ=; b=O7ZtgrequgYIp/hoE9
 B6d8zbtu4vz2iC1QQxtc8b+ptA0qt+3JQzW1Pw9BMDo8ULKz+yI9osXekb3116gi
 VtdBIuZ467q1ocuyk3X0q4LGZgMR2NZuVCkkQ5VgwtA7rl8G0KYi3UZFFvu1fRnf
 FaxTRO+llltD2wkH9+WNPftXs=
Received: by filter0531p1mdw1.sendgrid.net with SMTP id
 filter0531p1mdw1.29774.5580693530
 2015-06-16 18:21:44.315441656 +0000 UTC
Received: from herokuapp.com (ec2-54-81-39-135.compute-1.amazonaws.com
 [54.81.39.135])
 by ismtpd-050 (SG) with ESMTP id 14dfd9b03ba.10e5.197aec
 for <ruby-core@ruby-lang.org>; Tue, 16 Jun 2015 18:21:44 +0000 (UTC)
Date: Tue, 16 Jun 2015 18:21:44 +0000
From: mame@ruby-lang.org
To: ruby-core@ruby-lang.org
Message-ID: <redmine.issue-11270.20150616182142.821031d6aed5c3f1@ruby-lang.org>
References: <redmine.issue-11270.20150616182142@ruby-lang.org>
Mime-Version: 1.0
Content-Type: text/plain;
 charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Redmine-MailingListIntegration-Message-Ids: 44141
X-Redmine-Project: ruby-trunk
X-Redmine-Issue-Id: 11270
X-Redmine-Issue-Author: mame
X-Redmine-Sender: mame
X-Mailer: Redmine
X-Redmine-Host: bugs.ruby-lang.org
X-Redmine-Site: Ruby Issue Tracking System
X-Auto-Response-Suppress: All
Auto-Submitted: auto-generated
X-SG-EID: ync6xU2WACa70kv/Ymy4QrNMhiuLXJG8OTL2vJD1yS7/ggTZO/dV+IX8jc1irU3R89vXaFrmRipz98
 TbVtU0YWO/iYwoKq8t4cSIybfMKwcAIX5cO7Y+G2+ZFN0Ssv82BUc2nqqBm1vzFJ6kyP6K/AlP4SgV
 LOMy25BvpVlRW0Z0m6pjbRtfxFCgq60/97m8
X-ML-Name: ruby-core
X-Mail-Count: 69613
Subject: [ruby-core:69613] [Ruby trunk - Bug #11270] [Open] Coverity Scan
 warns out-of-bounds access in ext/socket
X-BeenThere: ruby-core@ruby-lang.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Ruby developers <ruby-core@ruby-lang.org>
List-Id: Ruby developers <ruby-core.ruby-lang.org>
List-Unsubscribe: <http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>, 
 <mailto:ruby-core-request@ruby-lang.org?subject=unsubscribe>
List-Post: <mailto:ruby-core@ruby-lang.org>
List-Help: <mailto:ruby-core-request@ruby-lang.org?subject=help>
List-Subscribe: <http://lists.ruby-lang.org/cgi-bin/mailman/listinfo/ruby-core>, 
 <mailto:ruby-core-request@ruby-lang.org?subject=subscribe>
Errors-To: ruby-core-bounces@ruby-lang.org
Sender: "ruby-core" <ruby-core-bounces@ruby-lang.org>

Issue #11270 has been reported by Yusuke Endoh.

----------------------------------------
Bug #11270: Coverity Scan warns out-of-bounds access in ext/socket
https://bugs.ruby-lang.org/issues/11270

* Author: Yusuke Endoh
* Status: Open
* Priority: Normal
* Assignee: 
* ruby -v: 
* Backport: 2.0.0: UNKNOWN, 2.1: UNKNOWN, 2.2: UNKNOWN
----------------------------------------
Hello,

Coverity Scan warns ext/socket/init.c and raddrinfo.c.

`rsock_s_recvfrom` in ext/socket/init.c does:

    arg.alen = (socklen_t)sizeof(arg.buf);

then calls `rsock_io_socket_addrinfo`:

    return rb_assoc_new(str, rsock_io_socket_addrinfo(sock, &arg.buf.addr, arg.alen));

`rsock_io_socket_addrinfo` indirectly calls `init_addrinfo` in ext/socket/raddrinfo.c.
(`rsock_io_socket_addrinfo` -> `rsock_fd_socket_addrinfo` -> `rsock_addrinfo_new` -> `init_addrinfo`)

`init_addrinfo` does:

    memcpy((void *)&rai->addr, (void *)sa, len);

Note that `sa` is `&arg.buf.addr`, and `len` is `arg.alen`.  `&arg.buf.addr` is a pointer to sockaddr, and `arg.len` is `sizeof(union_sockaddr)`, not `sizeof(sockaddr)`, which is indeed inconsistent.

I don't think this inconsistency will cause actual harm, but it would be better to fix.

-- 
Yusuke Endoh <mame@ruby-lang.org>



-- 
https://bugs.ruby-lang.org/