Thread (15 messages) 15 messages, 6 authors, 2010-04-05

Re: Undefined behaviour of connect(fd, NULL, 0);

From: Stephen Hemminger <hidden>
Date: 2010-03-31 21:15:13 

On Thu, 1 Apr 2010 07:24:12 +1100
Neil Brown [off-list ref] wrote:

On Wed, 31 Mar 2010 11:49:36 -0700
Stephen Hemminger [off-list ref] wrote:
quoted
On Wed, 31 Mar 2010 22:36:37 +1100
Neil Brown [off-list ref] wrote:
quoted
Hi Netdev.

We have a customer who was reporting strangely unpredictable behaviour of an
in-house application that used networking.

It called connect on a non-blocking socket and subsequently called
   connect(fd, NULL, 0)

to check if the connection had succeeded.
This would sometime "work" and sometimes close the connection.

Looking at the code (sys_connect, move_addr_to_kernel, inet_stream_connect),
it seems that in this case an uninitialised on-stack address is passed
to inet_stream_connect and it makes a decision based on ->sa_family (which is
uninitialised).

It seems clear that connect(fd, NULL, 0) is the wrong thing to do in this
circumstance, but I think it would be good if it failed consistently rather
than unpredictably.

Would it be appropriate for move_addr_to_kernel to zero out the remainder of
the address?
   memset(kaddr+ulen, 0, MAX_SOCK_ADDR-ulen);
??

Then connect(fd, NULL, 0) would always break the connection.
I think the problem is inet_stream_connect referencing past addr_len.

--- a/net/ipv4/af_inet.c	2010-03-31 11:47:01.952910248 -0700
+++ b/net/ipv4/af_inet.c	2010-03-31 11:48:09.852938406 -0700
@@ -575,7 +575,7 @@ int inet_stream_connect(struct socket *s
 
 	lock_sock(sk);
 
-	if (uaddr->sa_family == AF_UNSPEC) {
+	if (addr_len < sizeof(sa_family_t) || uaddr->sa_family == AF_UNSPEC) {
 		err = sk->sk_prot->disconnect(sk, flags);
 		sock->state = err ? SS_DISCONNECTING : SS_UNCONNECTED;
 		goto out;
Thanks for the reply.

The implication of this patch is that
   connect(fd, NULL, 0)
is actually a valid way to check if an in-progress connection has completed.

Is that the intention?
The rationale is that move_addr_to_kernel, explcitly allow addr=NULL with addr_len=0
so if it is allowed there why not let it through. The implication of this is that
addr_len is the same as AF_UNSPEC.

Does all other address manipulation code check the addr_len ?? (probably).
Not sure.
Someone ought to check BSD/Solaris to see if there is some standard here.
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help