Message ID | 20100331114936.3549ca90@s6510 |
---|---|
State | RFC, archived |
Delegated to: | David Miller |
Headers | show |
On Wed, 31 Mar 2010 11:49:36 -0700 Stephen Hemminger <shemminger@vyatta.com> wrote: > On Wed, 31 Mar 2010 22:36:37 +1100 > Neil Brown <neilb@suse.de> wrote: > > > > > Hi Netdev. > > > > We have a customer who was reporting strangely unpredictable behaviour of an > > in-house application that used networking. > > > > It called connect on a non-blocking socket and subsequently called > > connect(fd, NULL, 0) > > > > to check if the connection had succeeded. > > This would sometime "work" and sometimes close the connection. > > > > Looking at the code (sys_connect, move_addr_to_kernel, inet_stream_connect), > > it seems that in this case an uninitialised on-stack address is passed > > to inet_stream_connect and it makes a decision based on ->sa_family (which is > > uninitialised). > > > > It seems clear that connect(fd, NULL, 0) is the wrong thing to do in this > > circumstance, but I think it would be good if it failed consistently rather > > than unpredictably. > > > > Would it be appropriate for move_addr_to_kernel to zero out the remainder of > > the address? > > memset(kaddr+ulen, 0, MAX_SOCK_ADDR-ulen); > > ?? > > > > Then connect(fd, NULL, 0) would always break the connection. > > I think the problem is inet_stream_connect referencing past addr_len. > > --- a/net/ipv4/af_inet.c 2010-03-31 11:47:01.952910248 -0700 > +++ b/net/ipv4/af_inet.c 2010-03-31 11:48:09.852938406 -0700 > @@ -575,7 +575,7 @@ int inet_stream_connect(struct socket *s > > lock_sock(sk); > > - if (uaddr->sa_family == AF_UNSPEC) { > + if (addr_len < sizeof(sa_family_t) || uaddr->sa_family == AF_UNSPEC) { > err = sk->sk_prot->disconnect(sk, flags); > sock->state = err ? SS_DISCONNECTING : SS_UNCONNECTED; > goto out; Thanks for the reply. The implication of this patch is that connect(fd, NULL, 0) is actually a valid way to check if an in-progress connection has completed. Is that the intention? Does all other address manipulation code check the addr_len ?? (probably). Thanks, NeilBrown -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Thu, 1 Apr 2010 07:24:12 +1100 Neil Brown <neilb@suse.de> wrote: > On Wed, 31 Mar 2010 11:49:36 -0700 > Stephen Hemminger <shemminger@vyatta.com> wrote: > > > On Wed, 31 Mar 2010 22:36:37 +1100 > > Neil Brown <neilb@suse.de> wrote: > > > > > > > > Hi Netdev. > > > > > > We have a customer who was reporting strangely unpredictable behaviour of an > > > in-house application that used networking. > > > > > > It called connect on a non-blocking socket and subsequently called > > > connect(fd, NULL, 0) > > > > > > to check if the connection had succeeded. > > > This would sometime "work" and sometimes close the connection. > > > > > > Looking at the code (sys_connect, move_addr_to_kernel, inet_stream_connect), > > > it seems that in this case an uninitialised on-stack address is passed > > > to inet_stream_connect and it makes a decision based on ->sa_family (which is > > > uninitialised). > > > > > > It seems clear that connect(fd, NULL, 0) is the wrong thing to do in this > > > circumstance, but I think it would be good if it failed consistently rather > > > than unpredictably. > > > > > > Would it be appropriate for move_addr_to_kernel to zero out the remainder of > > > the address? > > > memset(kaddr+ulen, 0, MAX_SOCK_ADDR-ulen); > > > ?? > > > > > > Then connect(fd, NULL, 0) would always break the connection. > > > > I think the problem is inet_stream_connect referencing past addr_len. > > > > --- a/net/ipv4/af_inet.c 2010-03-31 11:47:01.952910248 -0700 > > +++ b/net/ipv4/af_inet.c 2010-03-31 11:48:09.852938406 -0700 > > @@ -575,7 +575,7 @@ int inet_stream_connect(struct socket *s > > > > lock_sock(sk); > > > > - if (uaddr->sa_family == AF_UNSPEC) { > > + if (addr_len < sizeof(sa_family_t) || uaddr->sa_family == AF_UNSPEC) { > > err = sk->sk_prot->disconnect(sk, flags); > > sock->state = err ? SS_DISCONNECTING : SS_UNCONNECTED; > > goto out; > > Thanks for the reply. > > The implication of this patch is that > connect(fd, NULL, 0) > is actually a valid way to check if an in-progress connection has completed. > > Is that the intention? The rationale is that move_addr_to_kernel, explcitly allow addr=NULL with addr_len=0 so if it is allowed there why not let it through. The implication of this is that addr_len is the same as AF_UNSPEC. > Does all other address manipulation code check the addr_len ?? (probably). Not sure. Someone ought to check BSD/Solaris to see if there is some standard here. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
From: Neil Brown <neilb@suse.de> Date: Thu, 1 Apr 2010 07:24:12 +1100 >> --- a/net/ipv4/af_inet.c 2010-03-31 11:47:01.952910248 -0700 >> +++ b/net/ipv4/af_inet.c 2010-03-31 11:48:09.852938406 -0700 >> @@ -575,7 +575,7 @@ int inet_stream_connect(struct socket *s >> >> lock_sock(sk); >> >> - if (uaddr->sa_family == AF_UNSPEC) { >> + if (addr_len < sizeof(sa_family_t) || uaddr->sa_family == AF_UNSPEC) { >> err = sk->sk_prot->disconnect(sk, flags); >> sock->state = err ? SS_DISCONNECTING : SS_UNCONNECTED; >> goto out; > > Thanks for the reply. > > The implication of this patch is that > connect(fd, NULL, 0) > is actually a valid way to check if an in-progress connection has completed. > > Is that the intention? That's not how I read the patch, the result is that connect(fd, NULL...) will now disconnect the socket. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wed, 31 Mar 2010 14:17:32 -0700 (PDT) David Miller <davem@davemloft.net> wrote: > From: Neil Brown <neilb@suse.de> > Date: Thu, 1 Apr 2010 07:24:12 +1100 > > >> --- a/net/ipv4/af_inet.c 2010-03-31 11:47:01.952910248 -0700 > >> +++ b/net/ipv4/af_inet.c 2010-03-31 11:48:09.852938406 -0700 > >> @@ -575,7 +575,7 @@ int inet_stream_connect(struct socket *s > >> > >> lock_sock(sk); > >> > >> - if (uaddr->sa_family == AF_UNSPEC) { > >> + if (addr_len < sizeof(sa_family_t) || uaddr->sa_family == AF_UNSPEC) { > >> err = sk->sk_prot->disconnect(sk, flags); > >> sock->state = err ? SS_DISCONNECTING : SS_UNCONNECTED; > >> goto out; > > > > Thanks for the reply. > > > > The implication of this patch is that > > connect(fd, NULL, 0) > > is actually a valid way to check if an in-progress connection has completed. > > > > Is that the intention? > > That's not how I read the patch, the result is that connect(fd, NULL...) > will now disconnect the socket. Yes, you are right - I read it upside-down. Sorry. Thanks, NeilBrown -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
--- a/net/ipv4/af_inet.c 2010-03-31 11:47:01.952910248 -0700 +++ b/net/ipv4/af_inet.c 2010-03-31 11:48:09.852938406 -0700 @@ -575,7 +575,7 @@ int inet_stream_connect(struct socket *s lock_sock(sk); - if (uaddr->sa_family == AF_UNSPEC) { + if (addr_len < sizeof(sa_family_t) || uaddr->sa_family == AF_UNSPEC) { err = sk->sk_prot->disconnect(sk, flags); sock->state = err ? SS_DISCONNECTING : SS_UNCONNECTED; goto out;