From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Original-To: poffice@blade.nagaokaut.ac.jp Delivered-To: poffice@blade.nagaokaut.ac.jp Received: from kankan.nagaokaut.ac.jp (kankan.nagaokaut.ac.jp [133.44.2.24]) by blade.nagaokaut.ac.jp (Postfix) with ESMTP id C6F8117D688C for ; Fri, 19 Jun 2015 10:14:14 +0900 (JST) Received: from funfun.nagaokaut.ac.jp (funfun.nagaokaut.ac.jp [133.44.2.201]) by kankan.nagaokaut.ac.jp (Postfix) with ESMTP id 31FDEB5D8D6 for ; Fri, 19 Jun 2015 10:37:07 +0900 (JST) Received: from funfun.nagaokaut.ac.jp (localhost.nagaokaut.ac.jp [127.0.0.1]) by funfun.nagaokaut.ac.jp (Postfix) with ESMTP id 5492097A820 for ; Fri, 19 Jun 2015 10:37:08 +0900 (JST) X-Virus-Scanned: amavisd-new at nagaokaut.ac.jp Authentication-Results: funfun.nagaokaut.ac.jp (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=sendgrid.me Received: from funfun.nagaokaut.ac.jp ([127.0.0.1]) by funfun.nagaokaut.ac.jp (funfun.nagaokaut.ac.jp [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nwXUqFmF_C_Z for ; Fri, 19 Jun 2015 10:37:08 +0900 (JST) Received: from voscc.nagaokaut.ac.jp (voscc.nagaokaut.ac.jp [133.44.1.100]) by funfun.nagaokaut.ac.jp (Postfix) with ESMTP id 2821197A826 for ; Fri, 19 Jun 2015 10:37:08 +0900 (JST) Received: from neon.ruby-lang.org (neon.ruby-lang.org [221.186.184.75]) by voscc.nagaokaut.ac.jp (Postfix) with ESMTP id D58E9952439 for ; Fri, 19 Jun 2015 10:37:06 +0900 (JST) Received: from [221.186.184.76] (localhost [IPv6:::1]) by neon.ruby-lang.org (Postfix) with ESMTP id 09856120478; Fri, 19 Jun 2015 10:37:06 +0900 (JST) X-Original-To: ruby-core@ruby-lang.org Delivered-To: ruby-core@ruby-lang.org Received: from o2.heroku.sendgrid.net (o2.heroku.sendgrid.net [67.228.50.55]) by neon.ruby-lang.org (Postfix) with ESMTPS id D490712046C for ; Fri, 19 Jun 2015 10:36:53 +0900 (JST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sendgrid.me; h=from:to:references:subject:mime-version:content-type:content-transfer-encoding:list-id; s=smtpapi; bh=mKAbK9WIopnVZL8B8G32WBWdLI4=; b=lDN5e5lnlY38M8ZJDe hQJngHbShwb3pBwZfrtxip7Q6Frj2t/1yNd27A33k4WYg1FLzq4oycBKF3RMZDwq S3ZCKiWeNSqf76MLcCEkjGb6NIO8ToNOCjzAIhdUYIUuX2vUu4Ee/qtj1fqFuKdB FIW/kxQGghW+vX/LBumhPNddY= Received: by filter0565p1mdw1.sendgrid.net with SMTP id filter0565p1mdw1.15991.5583722F33 2015-06-19 01:36:48.009835397 +0000 UTC Received: from herokuapp.com (ec2-54-162-203-126.compute-1.amazonaws.com [54.162.203.126]) by ismtpd-042 (SG) with ESMTP id 14e09760b67.3ab8.40fb2e for ; Fri, 19 Jun 2015 01:36:47 +0000 (UTC) Date: Fri, 19 Jun 2015 01:36:47 +0000 From: akr@fsij.org To: ruby-core@ruby-lang.org Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Redmine-MailingListIntegration-Message-Ids: 44222 X-Redmine-Project: ruby-trunk X-Redmine-Issue-Id: 11270 X-Redmine-Issue-Author: mame X-Redmine-Sender: akr X-Mailer: Redmine X-Redmine-Host: bugs.ruby-lang.org X-Redmine-Site: Ruby Issue Tracking System X-Auto-Response-Suppress: All Auto-Submitted: auto-generated X-SG-EID: ync6xU2WACa70kv/Ymy4QrNMhiuLXJG8OTL2vJD1yS5gXC0JUyW7R90vVWGC4oW69ETH/8mcotpSt+ u7xGjzMuPqrOU92JkOKyAtJkFnNH7t2g4xmuQAXOhVsB0u4ePLCNnGEIEfDsvyMN90W7aAEp7R4eRe /ic39/Km+M5TWt51+d0NbBecf0Ln2O1Z1u0w X-SendGrid-Contentd-ID: {"test_id":"1434677809"} X-ML-Name: ruby-core X-Mail-Count: 69672 Subject: [ruby-core:69672] [Ruby trunk - Bug #11270] Coverity Scan warns out-of-bounds access in ext/socket X-BeenThere: ruby-core@ruby-lang.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: Ruby developers List-Id: Ruby developers List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: ruby-core-bounces@ruby-lang.org Sender: "ruby-core" Issue #11270 has been updated by Akira Tanaka. Yusuke Endoh wrote: > Honestly I'm not sure the C language specification: is it guaranteed that a pointer to a field of a union and a pointer to the union itself? In short, `(void*)&arg.buf.addr == (void*)&arg.buf`? If it is guaranteed, there is no problem. But I couldn't find the guarantee from the specification. Yes. There is a description in the committee draft of C99. ``` [#13] The size of a union is sufficient to contain the largest of its members. The value of at most one of the members can be stored in a union object at any time. A pointer to a union object, suitably converted, points to each of its members (or if a member is a bit-field, then to the unit in which it resides), and vice versa. ``` This section is quoted to Wikipedia (from C90). https://en.wikipedia.org/wiki/Union_type JIS X 3010:2003 section 6.7.2.1 has same description in Japanese. > I'm not familiar with socket apis. Do you mean that the apis are ill-designed so that we cannot use them in the strict C language? If so, I agree that it is difficult to fix. I don't say "cannot" here. ---------------------------------------- Bug #11270: Coverity Scan warns out-of-bounds access in ext/socket https://bugs.ruby-lang.org/issues/11270#change-53032 * Author: Yusuke Endoh * Status: Open * Priority: Normal * Assignee: * ruby -v: * Backport: 2.0.0: UNKNOWN, 2.1: UNKNOWN, 2.2: UNKNOWN ---------------------------------------- Hello, Coverity Scan warns ext/socket/init.c and raddrinfo.c. `rsock_s_recvfrom` in ext/socket/init.c does: arg.alen = (socklen_t)sizeof(arg.buf); then calls `rsock_io_socket_addrinfo`: return rb_assoc_new(str, rsock_io_socket_addrinfo(sock, &arg.buf.addr, arg.alen)); `rsock_io_socket_addrinfo` indirectly calls `init_addrinfo` in ext/socket/raddrinfo.c. (`rsock_io_socket_addrinfo` -> `rsock_fd_socket_addrinfo` -> `rsock_addrinfo_new` -> `init_addrinfo`) `init_addrinfo` does: memcpy((void *)&rai->addr, (void *)sa, len); Note that `sa` is `&arg.buf.addr`, and `len` is `arg.alen`. `&arg.buf.addr` is a pointer to sockaddr, and `arg.len` is `sizeof(union_sockaddr)`, not `sizeof(sockaddr)`, which is indeed inconsistent. I don't think this inconsistency will cause actual harm, but it would be better to fix. -- Yusuke Endoh -- https://bugs.ruby-lang.org/