Skip to content

Panic when receiving too many fds?Β #14

New issue
New issue
Open
Open
Panic when receiving too many fds?#14
@chadaustin

Description

@chadaustin
chadaustin
opened on Aug 31, 2023

Regarding the comment and unreachable!() in

sendfd/src/lib.rs

Lines 155 to 164 in 69994c1

// This branch is unreachable. We allocate the ancillary data buffer just
// large enough to fit exactly the number of `RawFd`s that are in the `fds`
// buffer. It is not possible for the OS to return more of them.
//
// If this branch ended up being reachable for some reason, it would be
// necessary for this branch to close the file descriptors to avoid leaking
// resources.
//
// TODO: consider using unreachable_unchecked
unreachable!();

I am using sendfd in a new project. While researching the actual semantics of fd-passing, I found Kenton Varda's excellent summary of the subtleties and dangers: https://gist.github.com/kentonv/bc7592af98c68ba2738f4436920868dc

In particular:

The CMSG_SPACE() macro is intended to help you decide how much space to allocate to receive an ancillary message. It rounds up its calculation to the next word boundary. Unfortunately, on 64-bit systems, this means you will always end up with enough space for an even number of file descriptors. If you were expecting just one FD, you'll end up with enough buffer space to receive two. You MUST check whether you received two and close the second one, otherwise, again, an attacker can fill up your FD table.

That implies that calling recvmsg expecting one fd will panic if two are actually sent.

I have not tried to reproduce this issue in a test.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions