diff options
author | Michael Santos <michael.santos@gmail.com> | 2011-05-24 08:02:25 -0400 |
---|---|---|
committer | Henrik Nord <henrik@erlang.org> | 2011-05-24 14:17:03 +0200 |
commit | 169080db01101a4db6b1c265d04d972f3c39488a (patch) | |
tree | 4937485210d9c6397deec37540109a9eea11c00f /erts | |
parent | 7ae73012553fc54e84ad00fc00f7940cabf1edbb (diff) | |
download | otp-169080db01101a4db6b1c265d04d972f3c39488a.tar.gz otp-169080db01101a4db6b1c265d04d972f3c39488a.tar.bz2 otp-169080db01101a4db6b1c265d04d972f3c39488a.zip |
inet: error if fd does not match socket domain
If an IPv4 fd is opened as an IPv6 socket, unexpected behaviour can
occur. For example, if an IPv4 UDP socket is opened and passed into
Erlang as an IPv6 socket, the first 3 bytes (corresponding to 1 byte
representing the protocol family, 2 bytes set to the port) are stripped
from the payload. The cause of the UDP payload truncation happens in
inet_drv.c:packet_inet_input when a call to inet_get_address fails
silently because the family is set to PF_INET6 but the buffer len is
the size of an IPv4 struct sockaddr_in.
Prevent this behaviour by checking that the protocol family of the file
descriptor matches the family of the requested Erlang socket.
{ok, S1} = gen_udp:open(0, [binary, inet]),
{ok, FD} = inet:getfd(S1),
{ok, Port} = inet:port(S1),
{ok, S} = gen_udp:open(Port, [binary, {fd, FD}, inet6]),
{ok, C} = gen_udp:open(0, [binary]),
Msg = <<1,2,3,4,5>>,
gen_udp:send(C, "127.0.0.1", Port, Msg),
receive
{udp, S, _, _, Msg} -> ok;
{udp, S, _, _, NewMsg} -> {error, Msg, NewMsg}
end.
This test results in: {error,<<1,2,3,4,5>>,<<4,5>>}
Thanks to Andrew Tunnell-Jones for finding the bug and the test case!
Diffstat (limited to 'erts')
-rw-r--r-- | erts/emulator/drivers/common/inet_drv.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/erts/emulator/drivers/common/inet_drv.c b/erts/emulator/drivers/common/inet_drv.c index 40c4a0df08..ebc4469a23 100644 --- a/erts/emulator/drivers/common/inet_drv.c +++ b/erts/emulator/drivers/common/inet_drv.c @@ -3709,6 +3709,8 @@ static int inet_ctl_fdopen(inet_descriptor* desc, int domain, int type, /* check that it is a socket and that the socket is bound */ if (IS_SOCKET_ERROR(sock_name(s, (struct sockaddr*) &name, &sz))) return ctl_error(sock_errno(), rbuf, rsize); + if (name.sa.sa_family != domain) + return ctl_error(EINVAL, rbuf, rsize); desc->s = s; if ((desc->event = sock_create_event(desc)) == INVALID_EVENT) return ctl_error(sock_errno(), rbuf, rsize); @@ -9739,7 +9741,7 @@ static int packet_inet_ctl(ErlDrvData e, unsigned int cmd, char* buf, int len, if (desc->active || (len != 8)) return ctl_error(EINVAL, rbuf, rsize); timeout = get_int32(buf); - /* The 2nd arg, Length(4), is ignored for both UDP ans SCTP protocols, + /* The 2nd arg, Length(4), is ignored for both UDP and SCTP protocols, since they are msg-oriented. */ if (enq_async(desc, tbuf, PACKET_REQ_RECV) < 0) |