2 * Check decoding of struct msghdr.msg_name* arguments of recvmsg syscall.
4 * Copyright (c) 2016 Dmitry V. Levin <ldv@altlinux.org>
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. The name of the author may not be used to endorse or promote products
16 * derived from this software without specific prior written permission.
18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
19 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
20 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
21 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
22 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
23 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
24 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
25 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35 #include <sys/socket.h>
39 send_recv(const int send_fd, const int recv_fd,
40 struct msghdr *const msg, const int flags)
42 if (send(send_fd, "A", 1, 0) != 1)
43 perror_msg_and_skip("send");
44 return recvmsg(recv_fd, msg, flags);
48 test_msg_name(const int send_fd, const int recv_fd)
50 char *const recv_buf = tail_alloc(sizeof(*recv_buf));
51 struct iovec *const iov = tail_alloc(sizeof(*iov));
52 iov->iov_base = recv_buf;
53 iov->iov_len = sizeof(*recv_buf);
55 struct sockaddr_un *const addr = tail_alloc(sizeof(*addr));
56 struct msghdr *const msg = tail_alloc(sizeof(*msg));
58 msg->msg_namelen = sizeof(*addr);
62 msg->msg_controllen = 0;
65 int rc = send_recv(send_fd, recv_fd, msg, MSG_DONTWAIT);
67 perror_msg_and_skip("recvmsg");
68 printf("recvmsg(%d, {msg_name={sa_family=AF_UNIX, sun_path=\"%s\"}"
69 ", msg_namelen=%d->%d, msg_iov=[{\"A\", 1}], msg_iovlen=1"
70 ", msg_controllen=0, msg_flags=0}, MSG_DONTWAIT) = %d\n",
71 recv_fd, addr->sun_path, (int) sizeof(struct sockaddr_un),
72 (int) msg->msg_namelen, rc);
74 memset(addr, 0, sizeof(*addr));
75 rc = send_recv(send_fd, recv_fd, msg, MSG_DONTWAIT);
76 printf("recvmsg(%d, {msg_name={sa_family=AF_UNIX, sun_path=\"%s\"}"
77 ", msg_namelen=%d, msg_iov=[{\"A\", 1}], msg_iovlen=1"
78 ", msg_controllen=0, msg_flags=0}, MSG_DONTWAIT) = %d\n",
79 recv_fd, addr->sun_path, (int) msg->msg_namelen, rc);
82 rc = send_recv(send_fd, recv_fd, msg, MSG_DONTWAIT);
83 printf("recvmsg(%d, {msg_name=NULL"
84 ", msg_namelen=%d, msg_iov=[{\"A\", 1}], msg_iovlen=1"
85 ", msg_controllen=0, msg_flags=0}, MSG_DONTWAIT) = %d\n",
86 recv_fd, (int) msg->msg_namelen, rc);
88 const size_t offsetof_sun_path = offsetof(struct sockaddr_un, sun_path);
90 msg->msg_namelen = offsetof_sun_path;
91 memset(addr->sun_path, 'A', sizeof(addr->sun_path));
93 rc = send_recv(send_fd, recv_fd, msg, MSG_DONTWAIT);
94 printf("recvmsg(%d, {msg_name={sa_family=AF_UNIX}"
95 ", msg_namelen=%d->%d, msg_iov=[{\"A\", 1}], msg_iovlen=1"
96 ", msg_controllen=0, msg_flags=0}, MSG_DONTWAIT) = %d\n",
97 recv_fd, (int) offsetof_sun_path, (int) msg->msg_namelen, rc);
99 msg->msg_namelen = sizeof(struct sockaddr);
100 msg->msg_name = ((void *) (addr + 1)) - msg->msg_namelen;
101 rc = send_recv(send_fd, recv_fd, msg, MSG_DONTWAIT);
102 printf("recvmsg(%d, {msg_name={sa_family=AF_UNIX, sun_path=\"%.*s\"}"
103 ", msg_namelen=%d->%d, msg_iov=[{\"A\", 1}], msg_iovlen=1"
104 ", msg_controllen=0, msg_flags=0}, MSG_DONTWAIT) = %d\n",
105 recv_fd, (int) (sizeof(struct sockaddr) - offsetof_sun_path),
106 ((struct sockaddr_un *) msg->msg_name)->sun_path,
107 (int) sizeof(struct sockaddr), (int) msg->msg_namelen, rc);
109 rc = send_recv(send_fd, recv_fd, msg, MSG_DONTWAIT);
110 printf("recvmsg(%d, {msg_namelen=%d}, MSG_DONTWAIT) = %d %s (%m)\n",
111 recv_fd, (int) msg->msg_namelen, rc, errno2name());
114 * When recvmsg is called with a valid descriptor
115 * but inaccessible memory, it causes segfaults on some architectures.
116 * As in these cases we test decoding of failed recvmsg calls,
117 * it's ok to fail recvmsg with any reason as long as
118 * it doesn't read that inaccessible memory.
120 rc = send_recv(send_fd, -1, msg + 1, 0);
121 printf("recvmsg(-1, %p, 0) = %d %s (%m)\n",
122 msg + 1, rc, errno2name());
124 rc = send_recv(send_fd, -1, 0, 0);
125 printf("recvmsg(-1, NULL, 0) = %d %s (%m)\n",
133 if (socketpair(AF_UNIX, SOCK_STREAM, 0, fds))
134 perror_msg_and_skip("socketpair");
136 const struct sockaddr_un un = {
137 .sun_family = AF_UNIX,
138 .sun_path = "msg_name-recvmsg.test.send.socket"
141 (void) unlink(un.sun_path);
142 if (bind(fds[1], (const void *) &un, sizeof(un)))
143 perror_msg_and_skip("bind");
144 (void) unlink(un.sun_path);
146 test_msg_name(fds[1], fds[0]);
148 puts("+++ exited with 0 +++");