You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The CMSG_SPACE() macro is intended to help you decide how much space to allocate to receive an ancillary message. It rounds up its calculation to the next word boundary. Unfortunately, on 64-bit systems, this means you will always end up with enough space for an even number of file descriptors. If you were expecting just one FD, you'll end up with enough buffer space to receive two. You MUST check whether you received two and close the second one, otherwise, again, an attacker can fill up your FD table.
That implies that calling recvmsg expecting one fd will panic if two are actually sent.
I have not tried to reproduce this issue in a test.
The text was updated successfully, but these errors were encountered:
I would accept a PR fixing this. It has been a while since I worked on this crate, so I may misremember some things, but IIRC one of the reasons we were careful around this area of the code was specifically because we didn't really want to make a decision that dropping unexpected file descriptors in the library is the right thing to do. In fact, if we cannot really receive exactly up-to the number of file descriptors as allowed by the file descriptor buffer, I would consider the API for this library to be wrong.
I wonder if it would be possible to set the msg_controllen to be exactly right despite what the CMSG_SPACE returns 🤔
Regarding the comment and
unreachable!()
insendfd/src/lib.rs
Lines 155 to 164 in 69994c1
I am using
sendfd
in a new project. While researching the actual semantics of fd-passing, I found Kenton Varda's excellent summary of the subtleties and dangers: https://gist.github.com/kentonv/bc7592af98c68ba2738f4436920868dcIn particular:
That implies that calling recvmsg expecting one fd will panic if two are actually sent.
I have not tried to reproduce this issue in a test.
The text was updated successfully, but these errors were encountered: