From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Original-To: poffice@blade.nagaokaut.ac.jp Delivered-To: poffice@blade.nagaokaut.ac.jp Received: from kankan.nagaokaut.ac.jp (kankan.nagaokaut.ac.jp [133.44.2.24]) by blade.nagaokaut.ac.jp (Postfix) with ESMTP id 1DDD11960007 for ; Fri, 19 Jun 2015 00:36:47 +0900 (JST) Received: from funfun.nagaokaut.ac.jp (smtp.nagaokaut.ac.jp [133.44.2.201]) by kankan.nagaokaut.ac.jp (Postfix) with ESMTP id 294BFB5D999 for ; Fri, 19 Jun 2015 00:59:33 +0900 (JST) Received: from funfun.nagaokaut.ac.jp (localhost.nagaokaut.ac.jp [127.0.0.1]) by funfun.nagaokaut.ac.jp (Postfix) with ESMTP id 2175197A83A for ; Fri, 19 Jun 2015 00:59:36 +0900 (JST) X-Virus-Scanned: amavisd-new at nagaokaut.ac.jp Authentication-Results: funfun.nagaokaut.ac.jp (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=sendgrid.me Received: from funfun.nagaokaut.ac.jp ([127.0.0.1]) by funfun.nagaokaut.ac.jp (funfun.nagaokaut.ac.jp [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fnnp7zz88uGa for ; Fri, 19 Jun 2015 00:59:36 +0900 (JST) Received: from voscc.nagaokaut.ac.jp (voscc.nagaokaut.ac.jp [133.44.1.100]) by funfun.nagaokaut.ac.jp (Postfix) with ESMTP id E7A2597A836 for ; Fri, 19 Jun 2015 00:59:35 +0900 (JST) Received: from neon.ruby-lang.org (neon.ruby-lang.org [221.186.184.75]) by voscc.nagaokaut.ac.jp (Postfix) with ESMTP id BFD4C952447 for ; Fri, 19 Jun 2015 00:59:30 +0900 (JST) Received: from [221.186.184.76] (localhost [IPv6:::1]) by neon.ruby-lang.org (Postfix) with ESMTP id C9E37120475; Fri, 19 Jun 2015 00:59:30 +0900 (JST) X-Original-To: ruby-core@ruby-lang.org Delivered-To: ruby-core@ruby-lang.org Received: from o10.shared.sendgrid.net (o10.shared.sendgrid.net [173.193.132.135]) by neon.ruby-lang.org (Postfix) with ESMTPS id 8EBE212043B for ; Fri, 19 Jun 2015 00:59:27 +0900 (JST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sendgrid.me; h=from:to:references:subject:mime-version:content-type:content-transfer-encoding:list-id; s=smtpapi; bh=bucGp+eBuRzCgfEXWTulUu2aj8o=; b=VPt88ZMeVbRuDhuJWl a2xdgJOBebfdPkP326pQx3NJ2gv/J0PQ1HpZlDzlx7z9arcJdhkaOFAxwxVKPGjx pd/UolYl3l897WzpA7D5krG6FnmTZGDWryESTDUbBbuH20P/E5GqvWKHxPaHSTYT yuAt/IhNZy2pjPNO16MxDEK3Y= Received: by filter0552p1mdw1.sendgrid.net with SMTP id filter0552p1mdw1.18913.5582EADB5 2015-06-18 15:59:23.501246606 +0000 UTC Received: from herokuapp.com (ec2-54-82-156-22.compute-1.amazonaws.com [54.82.156.22]) by ismtpd-012 (SG) with ESMTP id 14e076568f7.21b6.1694c7 for ; Thu, 18 Jun 2015 15:59:23 +0000 (UTC) Date: Thu, 18 Jun 2015 15:59:23 +0000 From: mame@ruby-lang.org To: ruby-core@ruby-lang.org Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Redmine-MailingListIntegration-Message-Ids: 44210 X-Redmine-Project: ruby-trunk X-Redmine-Issue-Id: 11270 X-Redmine-Issue-Author: mame X-Redmine-Sender: mame X-Mailer: Redmine X-Redmine-Host: bugs.ruby-lang.org X-Redmine-Site: Ruby Issue Tracking System X-Auto-Response-Suppress: All Auto-Submitted: auto-generated X-SG-EID: ync6xU2WACa70kv/Ymy4QrNMhiuLXJG8OTL2vJD1yS6q6fVjfmJZgyRZTwwWyLHNrwWhk9TPBU+mUq gtoBtee0nhGX2SJJhH6Ssns8QDsLETrue82D9+yVz7kOekznv5PVMFV+TNdGaBWdAAmNAuFapkI99t oUauQBgIJgcclFUjXoQllhHkypDENZ2+Lndq X-ML-Name: ruby-core X-Mail-Count: 69662 Subject: [ruby-core:69662] [Ruby trunk - Bug #11270] [Open] Coverity Scan warns out-of-bounds access in ext/socket X-BeenThere: ruby-core@ruby-lang.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: Ruby developers List-Id: Ruby developers List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: ruby-core-bounces@ruby-lang.org Sender: "ruby-core" Issue #11270 has been updated by Yusuke Endoh. Status changed from Feedback to Open Akira Tanaka wrote: > arg.alen is initialized as sizeof(union_sockaddr) and > modified by recvfrom() which is less than or equal to sizeof(union_sockaddr). > > rai is rb_addrinfo_t and rai->addr is union_sockaddr. > > So the memcpy() doesn't overflow. I think that Coverity Scan is warning against `sa`, not `rai`. `sa` is `&arg.buf.addr`, not `&arg.buf`. If it were `&arg.buf`, there is certainly no problem. Honestly I'm not sure the C language specification: is it guaranteed that a pointer to a field of a union and a pointer to the union itself? In short, `(void*)&arg.buf.addr == (void*)&arg.buf`? If it is guaranteed, there is no problem. But I couldn't find the guarantee from the specification. > > I don't think this inconsistency will cause actual harm, but it would be better to fix. > > Do you have an idea to fix it? > > I guess the inconsistency is caused by "struct sockaddr" is used as a type for generic socket addresses > but actually a fixed length buffer which may be not enough for some addresses. > It is a Unix tradition and too dificult to fix. I'm not familiar with socket apis. Do you mean that the apis are ill-designed so that we cannot use them in the strict C language? If so, I agree that it is difficult to fix. -- Yusuke Endoh ---------------------------------------- Bug #11270: Coverity Scan warns out-of-bounds access in ext/socket https://bugs.ruby-lang.org/issues/11270#change-53022 * Author: Yusuke Endoh * Status: Open * Priority: Normal * Assignee: * ruby -v: * Backport: 2.0.0: UNKNOWN, 2.1: UNKNOWN, 2.2: UNKNOWN ---------------------------------------- Hello, Coverity Scan warns ext/socket/init.c and raddrinfo.c. `rsock_s_recvfrom` in ext/socket/init.c does: arg.alen = (socklen_t)sizeof(arg.buf); then calls `rsock_io_socket_addrinfo`: return rb_assoc_new(str, rsock_io_socket_addrinfo(sock, &arg.buf.addr, arg.alen)); `rsock_io_socket_addrinfo` indirectly calls `init_addrinfo` in ext/socket/raddrinfo.c. (`rsock_io_socket_addrinfo` -> `rsock_fd_socket_addrinfo` -> `rsock_addrinfo_new` -> `init_addrinfo`) `init_addrinfo` does: memcpy((void *)&rai->addr, (void *)sa, len); Note that `sa` is `&arg.buf.addr`, and `len` is `arg.alen`. `&arg.buf.addr` is a pointer to sockaddr, and `arg.len` is `sizeof(union_sockaddr)`, not `sizeof(sockaddr)`, which is indeed inconsistent. I don't think this inconsistency will cause actual harm, but it would be better to fix. -- Yusuke Endoh -- https://bugs.ruby-lang.org/