Skip to content

Reject over-long unix socket paths in server_ports#13356

Open
moonchen wants to merge 2 commits into
apache:masterfrom
moonchen:uds-listen-path-length
Open

Reject over-long unix socket paths in server_ports#13356
moonchen wants to merge 2 commits into
apache:masterfrom
moonchen:uds-listen-path-length

Conversation

@moonchen

@moonchen moonchen commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Problem

A unix domain socket path in proxy.config.http.server_ports longer than sun_path (108 bytes including the terminator) is silently truncated: UnAddr's constructors strncpy into the 108-byte buffer, and an over-long input also leaves it unterminated (strncpy writes no terminator when it truncates). ATS then binds a listener on the wrong filesystem path — observed as the 107-byte truncated path plus a garbage byte in ss -xl — or dies at startup with Could not bind or listen to port 0 ... (error: 98) Address already in use when the truncated prefix happens to name an existing directory. Nothing tells the operator the configured path was too long. (The jsonrpc server already rejects an over-long socket path with a clear error; the traffic listener did not.)

Fix

  • HttpProxyPort::processOptions: reject a unix path that cannot fit sun_path, with a Warning naming the limit, like other invalid port tokens. The descriptor is dropped; as with any fully-invalid descriptor, ATS falls back to the default port if nothing valid remains.
  • UnAddr(const char *) / UnAddr(const std::string &): always null-terminate _path, so no future caller can produce an unterminated path buffer.

Tests

  • test_RecHttp: a normal unix path parses; the maximum-length (107-byte) path parses intact; a 108-byte path is rejected with the new warning.
  • test_ink_inet: over-long UnAddr construction yields a terminated, truncated _path from both string constructors.

A path longer than sun_path (108 bytes including the terminator) was
silently truncated -- and left unterminated, since strncpy writes no
terminator when it truncates -- so ATS bound a listener on the wrong
filesystem path with nothing telling the operator the configured path
was too long.

Reject the path at configuration parse with a Warning naming the
limit, and make UnAddr's string constructors always null-terminate.
Copilot AI review requested due to automatic review settings July 2, 2026 00:29

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens UNIX domain socket support in proxy.config.http.server_ports by preventing over-long sun_path values from being accepted (which previously could be silently truncated and/or unterminated), and adds unit tests to lock in the new behavior.

Changes:

  • Reject AF_UNIX server port descriptors whose path length cannot fit in sockaddr_un::sun_path, emitting a warning and dropping the invalid descriptor.
  • Ensure UnAddr string constructors always null-terminate _path even when truncation occurs.
  • Add unit tests covering max-length parsing, rejection behavior, and null-termination guarantees.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File Description
src/records/RecHttp.cc Adds validation to reject over-long UNIX socket paths during server_ports parsing, with a clear warning.
include/tscore/ink_inet.h Makes UnAddr string constructors always null-terminate _path to prevent unterminated buffers on truncation.
src/records/unit_tests/test_RecHttp.cc Adds coverage for valid UNIX paths, maximum-length paths, and rejection of too-long paths (including warning behavior).
src/tscore/unit_tests/test_ink_inet.cc Adds coverage ensuring over-long UnAddr construction still yields a terminated, truncated _path.

Comment thread include/tscore/ink_inet.h Outdated
@moonchen moonchen self-assigned this Jul 2, 2026
@moonchen moonchen added the Bug label Jul 2, 2026
@moonchen moonchen added this to the 11.0.0 milestone Jul 2, 2026
assign() can ingest a full, unterminated sun_path from a kernel
sockaddr_un, and the copy constructor and operator= then propagate it.
Terminate in all three so _path is always a valid C string.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

Status: No status

Development

Successfully merging this pull request may close these issues.

2 participants