aboutsummaryrefslogtreecommitdiffstats
path: root/erts
diff options
context:
space:
mode:
authorMichael Santos <michael.santos@gmail.com>2011-05-24 08:02:25 -0400
committerHenrik Nord <henrik@erlang.org>2011-05-24 14:17:03 +0200
commit169080db01101a4db6b1c265d04d972f3c39488a (patch)
tree4937485210d9c6397deec37540109a9eea11c00f /erts
parent7ae73012553fc54e84ad00fc00f7940cabf1edbb (diff)
downloadotp-169080db01101a4db6b1c265d04d972f3c39488a.tar.gz
otp-169080db01101a4db6b1c265d04d972f3c39488a.tar.bz2
otp-169080db01101a4db6b1c265d04d972f3c39488a.zip
inet: error if fd does not match socket domain
If an IPv4 fd is opened as an IPv6 socket, unexpected behaviour can occur. For example, if an IPv4 UDP socket is opened and passed into Erlang as an IPv6 socket, the first 3 bytes (corresponding to 1 byte representing the protocol family, 2 bytes set to the port) are stripped from the payload. The cause of the UDP payload truncation happens in inet_drv.c:packet_inet_input when a call to inet_get_address fails silently because the family is set to PF_INET6 but the buffer len is the size of an IPv4 struct sockaddr_in. Prevent this behaviour by checking that the protocol family of the file descriptor matches the family of the requested Erlang socket. {ok, S1} = gen_udp:open(0, [binary, inet]), {ok, FD} = inet:getfd(S1), {ok, Port} = inet:port(S1), {ok, S} = gen_udp:open(Port, [binary, {fd, FD}, inet6]), {ok, C} = gen_udp:open(0, [binary]), Msg = <<1,2,3,4,5>>, gen_udp:send(C, "127.0.0.1", Port, Msg), receive {udp, S, _, _, Msg} -> ok; {udp, S, _, _, NewMsg} -> {error, Msg, NewMsg} end. This test results in: {error,<<1,2,3,4,5>>,<<4,5>>} Thanks to Andrew Tunnell-Jones for finding the bug and the test case!
Diffstat (limited to 'erts')
-rw-r--r--erts/emulator/drivers/common/inet_drv.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/erts/emulator/drivers/common/inet_drv.c b/erts/emulator/drivers/common/inet_drv.c
index 40c4a0df08..ebc4469a23 100644
--- a/erts/emulator/drivers/common/inet_drv.c
+++ b/erts/emulator/drivers/common/inet_drv.c
@@ -3709,6 +3709,8 @@ static int inet_ctl_fdopen(inet_descriptor* desc, int domain, int type,
/* check that it is a socket and that the socket is bound */
if (IS_SOCKET_ERROR(sock_name(s, (struct sockaddr*) &name, &sz)))
return ctl_error(sock_errno(), rbuf, rsize);
+ if (name.sa.sa_family != domain)
+ return ctl_error(EINVAL, rbuf, rsize);
desc->s = s;
if ((desc->event = sock_create_event(desc)) == INVALID_EVENT)
return ctl_error(sock_errno(), rbuf, rsize);
@@ -9739,7 +9741,7 @@ static int packet_inet_ctl(ErlDrvData e, unsigned int cmd, char* buf, int len,
if (desc->active || (len != 8))
return ctl_error(EINVAL, rbuf, rsize);
timeout = get_int32(buf);
- /* The 2nd arg, Length(4), is ignored for both UDP ans SCTP protocols,
+ /* The 2nd arg, Length(4), is ignored for both UDP and SCTP protocols,
since they are msg-oriented. */
if (enq_async(desc, tbuf, PACKET_REQ_RECV) < 0)