[PATCH v3] tests: extend for decoding of udev_monitor_netlink_header

Dmitry V. Levin ldv at altlinux.org
Sun Mar 11 23:22:09 UTC 2018


On Mon, Mar 12, 2018 at 12:31:12AM +0530, Harsha Sharma wrote:
> * tests/netlink_kobject_uevent.c: Add test_nlmsg_type_udev.
> ---
> Changes in v3:
> * change format type
> 
> Changes in v2:
> * Add decoding of kernel messages
> * initialize udev_monitor_netlink_header with non-zero values
> * cover case for length exceeding size of structure
> 
>  tests/netlink_kobject_uevent.c | 65 ++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 65 insertions(+)
> 
> diff --git a/tests/netlink_kobject_uevent.c b/tests/netlink_kobject_uevent.c
> index cacab5fd..39b8c436 100644
> --- a/tests/netlink_kobject_uevent.c
> +++ b/tests/netlink_kobject_uevent.c
> @@ -27,9 +27,72 @@
>   */
>  
>  #include "tests.h"
> +#include <string.h>
>  #include <stdio.h>
>  #include <sys/socket.h>
> +#include <arpa/inet.h>
>  #include "netlink.h"
> +#include "netlink_kobject_uevent.h"
> +
> +static void
> +test_nlmsg_type_udev(const int fd)
> +{
> +	long ret;
> +	unsigned int offset = 8;
> +	struct udev_monitor_netlink_header uh = {
> +		.prefix = "libudev",
> +		.magic = htonl(0xfeedcafe),
> +		.header_size = sizeof(uh),
> +		.properties_off = 40,
> +		.properties_len = 299,
> +		.filter_subsystem_hash = htonl(0xc370b302),
> +		.filter_devtype_hash = htonl(0x10800000),
> +		.filter_tag_bloom_hi = htonl(0x2000400),
> +		.filter_tag_bloom_lo = htonl(0x10800000),
> +	};
> +	unsigned int len = sizeof(uh);
> +
> +	ret = sendto(fd, &uh, len + offset, MSG_DONTWAIT, NULL, 0);

Here you are sending "len + offset" bytes, that is, the whole "uh" object
and "offset" bytes of garbage on stack.

> +	printf("sendto(%d, {{prefix=\"%s\", magic=htonl(%#x)"
> +	       ", header_size=%u, properties_off=%u, properties_len=%u"
> +	       ", filter_subsystem_hash=htonl(%#x)"
> +	       ", filter_devtype_hash=htonl(%#x)"
> +	       ", filter_tag_bloom_hi=htonl(%#x)"
> +	       ", filter_tag_bloom_lo=htonl(%#x)}, "
> +	       , fd, uh.prefix,
> +	       ntohl(uh.magic), uh.header_size, uh.properties_off,
> +	       uh.properties_len, ntohl(uh.filter_subsystem_hash),
> +	       ntohl(uh.filter_devtype_hash), ntohl(uh.filter_tag_bloom_hi),
> +	       ntohl(uh.filter_tag_bloom_lo));
> +	char buf[len + offset];
> +	memcpy(buf, &uh, len + offset);

Here you are copying "offset" bytes of garbage from stack to stack.
Garbage in - garbage out.

> +	print_quoted_memory(buf + len, offset);

Here you are printing the garbage copied earlier.  What are the chances
this garbage is the same that was sent earlier to the kernel?

> +	printf("}, %u, MSG_DONTWAIT, NULL, 0) = %s\n",
> +	       len + offset, sprintrc(ret));

Note that at this point errno may be already clobbered by earlier printf
calls, and sprintrc(ret) may print garbage.  sprintrc has to be invoked
before the first printf call, and its return code saved for future use.


-- 
ldv
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20180312/4010e2d3/attachment.bin>


More information about the Strace-devel mailing list