Bug #2673
closede1_line socket has no/wrong path length check
0%
Description
From recent commit https://gerrit.osmocom.org/#/c/4213/ it starts checking with strlcpy() that file path is at least PATH_MAX. Even though that fixes a possible overflow, it is still wrong because a unix socket patch is at most 108 characters, which means if a larger path is passed, it will be truncated, and it can create problems (such as the truncated file finished truncated in "/" or a directory already existing in the path).
For more info see https://stackoverflow.com/questions/34829600/why-is-the-maximal-path-length-allowed-for-unix-sockets-on-linux-108 and "man 7 unix":
A UNIX domain socket address is represented in the following structure: struct sockaddr_un { sa_family_t sun_family; /* AF_UNIX */ char sun_path[108]; /* pathname */ };
It can also be checked using the following define:
/usr/include/linux/un.h:6:#define UNIX_PATH_MAX 108
/usr/include/linux/un.h:10: char sun_path[UNIX_PATH_MAX]; /* pathname */
Several points to improve:
- libosmo-abis: e1_input_vty.c: 1 is at most 107 chars (+1 '\0'">DEFUN, otherwise return warning.
- libosmo-abis: unixsocket.c: unixsocket_line_update: Use UNIX_PATH_MAX instead of PATH_MAX, which is too big.
Bonus: Grep in all projects which use "osmo_sock_unix_init" function, and make sure the same validations are applied during vty parsing.