Reject over-long unix socket paths in server_ports#13356
Open
moonchen wants to merge 2 commits into
Open
Conversation
A path longer than sun_path (108 bytes including the terminator) was silently truncated -- and left unterminated, since strncpy writes no terminator when it truncates -- so ATS bound a listener on the wrong filesystem path with nothing telling the operator the configured path was too long. Reject the path at configuration parse with a Warning naming the limit, and make UnAddr's string constructors always null-terminate.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens UNIX domain socket support in proxy.config.http.server_ports by preventing over-long sun_path values from being accepted (which previously could be silently truncated and/or unterminated), and adds unit tests to lock in the new behavior.
Changes:
- Reject
AF_UNIXserver port descriptors whose path length cannot fit insockaddr_un::sun_path, emitting a warning and dropping the invalid descriptor. - Ensure
UnAddrstring constructors always null-terminate_patheven when truncation occurs. - Add unit tests covering max-length parsing, rejection behavior, and null-termination guarantees.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
src/records/RecHttp.cc |
Adds validation to reject over-long UNIX socket paths during server_ports parsing, with a clear warning. |
include/tscore/ink_inet.h |
Makes UnAddr string constructors always null-terminate _path to prevent unterminated buffers on truncation. |
src/records/unit_tests/test_RecHttp.cc |
Adds coverage for valid UNIX paths, maximum-length paths, and rejection of too-long paths (including warning behavior). |
src/tscore/unit_tests/test_ink_inet.cc |
Adds coverage ensuring over-long UnAddr construction still yields a terminated, truncated _path. |
assign() can ingest a full, unterminated sun_path from a kernel sockaddr_un, and the copy constructor and operator= then propagate it. Terminate in all three so _path is always a valid C string.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
A unix domain socket path in
proxy.config.http.server_portslonger thansun_path(108 bytes including the terminator) is silently truncated:UnAddr's constructorsstrncpyinto the 108-byte buffer, and an over-long input also leaves it unterminated (strncpywrites no terminator when it truncates). ATS then binds a listener on the wrong filesystem path — observed as the 107-byte truncated path plus a garbage byte inss -xl— or dies at startup withCould not bind or listen to port 0 ... (error: 98) Address already in usewhen the truncated prefix happens to name an existing directory. Nothing tells the operator the configured path was too long. (The jsonrpc server already rejects an over-long socket path with a clear error; the traffic listener did not.)Fix
HttpProxyPort::processOptions: reject a unix path that cannot fitsun_path, with a Warning naming the limit, like other invalid port tokens. The descriptor is dropped; as with any fully-invalid descriptor, ATS falls back to the default port if nothing valid remains.UnAddr(const char *)/UnAddr(const std::string &): always null-terminate_path, so no future caller can produce an unterminated path buffer.Tests
test_RecHttp: a normal unix path parses; the maximum-length (107-byte) path parses intact; a 108-byte path is rejected with the new warning.test_ink_inet: over-longUnAddrconstruction yields a terminated, truncated_pathfrom both string constructors.