From 985e257b1fa5534ef8cebd7a0aa075dd10327604 Mon Sep 17 00:00:00 2001 From: Aurelien DARRAGON Date: Tue, 21 Feb 2023 17:33:50 +0100 Subject: [PATCH] BUG/MINOR: sock_unix: match finalname with tempname in sock_unix_addrcmp() In sock_unix_addrcmp(), named UNIX sockets paths are manually compared in order to properly handle tempname paths (ending with ".XXXX.tmp") that result from the 2-step bind implemented in sock_unix_bind_receiver(). However, this logic does not take into account "final" path names (without the ".XXXX.tmp" suffix). Example: /tmp/test did not match with /tmp/test.1288.tmp prior to this patch Indeed, depending on how the socket addr is retrieved, the same socket could be designated either by its tempname or finalname. socket addr is normally stored with its finalname within a receiver, but a call to getsockname() on the same socket will return the tempname that was used for the bind() call (sock_get_old_sockets() depends on getsockname()). This causes sock_find_compatible_fd() to malfunction with named UNIX sockets (ie: haproxy -x CLI option). To fix this, we slightly modify the check around the temp suffix in sock_unix_addrcmp(): we perform the suffix check even if one of the paths is lacking the temp suffix (with proper precautions). Now the function is able to match: - finalname x finalname - tempname x tempname - finalname x tempname That is: /tmp/test == /tmp/test.1288.tmp == /tmp/test.X.tmp It should be backported up to 2.4 (cherry picked from commit 2a7903bbb2102867132d9821913c51cb1b938962) Signed-off-by: Willy Tarreau (cherry picked from commit af3fa8c632abd425278bd8a8ae4ca89e41e92064) Signed-off-by: Christopher Faulet --- src/sock_unix.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/src/sock_unix.c b/src/sock_unix.c index 47f8566ec..1c3dbd761 100644 --- a/src/sock_unix.c +++ b/src/sock_unix.c @@ -93,7 +93,21 @@ int sock_unix_addrcmp(const struct sockaddr_storage *a, const struct sockaddr_st /* Now we have a difference. It's OK if they are within or after a * sequence of digits following a dot, and are followed by ".tmp". + * + * make sure to perform the check against tempname if the compared + * string is in "final" format (does not end with ".XXXX.tmp"). + * + * Examples: + * /tmp/test matches with /tmp/test.1822.tmp + * /tmp/test.1822.tmp matches with /tmp/test.XXXX.tmp */ + if (au->sun_path[idx] == 0 || bu->sun_path[idx] == 0) { + if (au->sun_path[idx] == '.' || bu->sun_path[idx] == '.') + dot = idx; /* try to match against temp path */ + else + return -1; /* invalid temp path */ + } + if (!dot) return -1;