[PATCH] D20280: [asan] Don't raise false alarm to recv/recvfrom when MSG_TRUNC is present.

Maxim Ostapenko via llvm-commits llvm-commits at lists.llvm.org
Mon May 16 02:55:39 PDT 2016 

m.ostapenko created this revision.
m.ostapenko added reviewers: kcc, dvyukov, eugenis.
m.ostapenko added subscribers: llvm-commits, laszio, ygribov.
m.ostapenko set the repository for this revision to rL LLVM.
Herald added subscribers: kubabrecka, srhines, danalbert, tberghammer, rengolin, aemerson.

Currenty ASan checks the return value of real recv/recvfrom to see if the written bytes fit in the buffer. That works fine most of time. However, there is an exception: (from the RECV(2) man page)
```
MSG_TRUNC (since Linux 2.2)
    ... return the real length of the packet or datagram, even when it was longer than the passed buffer. ...
```
Some programs combine MSG_TRUNC, MSG_PEEK and a single-byte buffer to peek the incoming data size without reading (much of) them. In this case, the return value is usually longer than what's been written and ASan raises a false alarm here. To avoid such false positive reports, we can use **min(res, len)** in COMMON_INTERCEPTOR_WRITE_RANGE checks.

Repository:
  rL LLVM

http://reviews.llvm.org/D20280

Files:
  lib/sanitizer_common/sanitizer_common_interceptors.inc
  test/asan/TestCases/Linux/recv_msg_trunc.cc

Index: test/asan/TestCases/Linux/recv_msg_trunc.cc
===================================================================
--- /dev/null
+++ test/asan/TestCases/Linux/recv_msg_trunc.cc
@@ -0,0 +1,36 @@
+// Test that ASan doesn't perform false alarm when MSG_TRUNC is present.
+//
+// RUN: %clangxx_asan %s -o %t && %run %t 2>&1
+//
+// UNSUPPORTED: android
+
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/ip.h>
+#include <assert.h>
+
+int main() {
+  int fd_0 = socket(AF_INET, SOCK_DGRAM, 0);
+  int fd_1 = socket(AF_INET, SOCK_DGRAM, 0);
+  struct sockaddr_in sin;
+  socklen_t len = sizeof(sin);
+  char *buf = (char *)malloc(1);
+
+  sin.sin_family = AF_INET;
+  // Choose a random port to bind.
+  sin.sin_port = 0;
+  sin.sin_addr.s_addr = INADDR_ANY;
+
+  assert(bind(fd_1, (struct sockaddr *)&sin, sizeof(sin)) == 0);
+  // Get the address and port binded.
+  assert(getsockname(fd_1, (struct sockaddr *)&sin, &len) == 0);
+  assert(sendto(fd_0, "hello", strlen("hello"), MSG_DONTWAIT,
+                (struct sockaddr *)&sin, sizeof(sin)) != -1);
+  assert(recv(fd_1, buf, 1, MSG_TRUNC) != -1);
+  free(buf);
+
+  return 0;
+}
+
Index: lib/sanitizer_common/sanitizer_common_interceptors.inc
===================================================================
--- lib/sanitizer_common/sanitizer_common_interceptors.inc
+++ lib/sanitizer_common/sanitizer_common_interceptors.inc
@@ -5498,7 +5498,7 @@
   COMMON_INTERCEPTOR_FD_ACCESS(ctx, fd);
   SSIZE_T res = REAL(recv)(fd, buf, len, flags);
   if (res > 0) {
-    COMMON_INTERCEPTOR_WRITE_RANGE(ctx, buf, res);
+    COMMON_INTERCEPTOR_WRITE_RANGE(ctx, buf, Min((SIZE_T)res, len));
   }
   if (res >= 0 && fd >= 0) COMMON_INTERCEPTOR_FD_ACQUIRE(ctx, fd);
   return res;
@@ -5515,7 +5515,7 @@
   (void)srcaddr_sz;  // prevent "set but not used" warning
   SSIZE_T res = REAL(recvfrom)(fd, buf, len, flags, srcaddr, addrlen);
   if (res > 0) {
-    COMMON_INTERCEPTOR_WRITE_RANGE(ctx, buf, res);
+    COMMON_INTERCEPTOR_WRITE_RANGE(ctx, buf, Min((SIZE_T)res, len));
     if (srcaddr)
       COMMON_INTERCEPTOR_INITIALIZE_RANGE(srcaddr,
                                           Min((SIZE_T)*addrlen, srcaddr_sz));


-------------- next part --------------
A non-text attachment was scrubbed...
Name: D20280.57325.patch
Type: text/x-patch
Size: 2232 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20160516/9d3f046f/attachment.bin>

More information about the llvm-commits mailing list