[PATCH 4/7] Add support for receiving fds in replies
Mark Kettenis
mark.kettenis at xs4all.nl
Thu Nov 7 14:07:41 PST 2013
> Date: Wed, 6 Nov 2013 12:14:21 -0500 (EST)
> From: Mouse <mouse at Rodents-Montreal.ORG>
>
> > Same comment about not using the CMSG_ API properly.
>
> Same comment about it being a broken API; I would say it's broken
> enough that it's not possible to use it properly.
It's horrible, yes. And you're right, CMSG_LEN/CMSG_SPACE was broken
on NetBSD for quite a while. But that was finally fixed about 2 years
ago.
> But my real point here is not to broken-record that, but to add a
> remark which I neglected to mention when I wrote about SCM_RIGHTS and
> CMSG_* before.
>
> NetBSD used to have the property that, upon receiving a message with
> file descriptors in it, all the descriptors would arrive in the
> recipient process's open file descriptors table even if their actual
> numbers were dropped for MSG_CTRUNC reasons; this makes it difficult to
> prevent malicious senders from running you out of file descriptors. I
> think modern NetBSD has this fixed, but I'd be surprised if there
> weren't some systems out there that still misbehave in that way.
We fixed several bugs in that area in OpenBSD over the last couple of
years. At the time NetBSD still had serious problems. IIRC our
conclusion was that FreeBSD and Linux didn't have the bug. But I must
admit that we didn't spent too much time on verifying that.
Since we were pretty horrified by the mess, we actually put some
restrictions on fd passing in OpenBSD:
1. We only support a single piece of ancillary data if file
descriptors are being passed.
2. When there is not enough room to receive all file descriptors,
recvmsg(2) will simply fail and accept no file descriptors instead
if returning sucessfully and setting MSG_CTRUNC.
Note that it looks like this was indeed the right decision, as 2)
actually protects OpenBSD from the file descriptor leaks in Keith's
current libxtrans code.
> You may not want to do anything about it - it's rather difficult to
> work around, especially on systems with nothing like the F_MAXFD fcntl
> available - but I haven't seen it mentioned, which, in a discussion of
> MSG_CTRUNC and closing stray file descriptors, leads me to suspect
> people weren't aware of it. (Of course, it's also possible I just
> missed something in the discussion.)
I think the only reasonable thing to do here is disable the file
descriptor passing on systems where file descriptor passing is (still)
broken like that.
More information about the xorg-devel
mailing list