From: Aurelien DARRAGON Date: Tue, 21 Feb 2023 16:33:50 +0000 (+0100) Subject: BUG/MINOR: sock_unix: match finalname with tempname in sock_unix_addrcmp() X-Git-Tag: v2.8-dev5~106 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2a7903bbb2102867132d9821913c51cb1b938962;p=thirdparty%2Fhaproxy.git BUG/MINOR: sock_unix: match finalname with tempname in sock_unix_addrcmp() In sock_unix_addrcmp(), named UNIX sockets paths are manually compared in order to properly handle tempname paths (ending with ".XXXX.tmp") that result from the 2-step bind implemented in sock_unix_bind_receiver(). However, this logic does not take into account "final" path names (without the ".XXXX.tmp" suffix). Example: /tmp/test did not match with /tmp/test.1288.tmp prior to this patch Indeed, depending on how the socket addr is retrieved, the same socket could be designated either by its tempname or finalname. socket addr is normally stored with its finalname within a receiver, but a call to getsockname() on the same socket will return the tempname that was used for the bind() call (sock_get_old_sockets() depends on getsockname()). This causes sock_find_compatible_fd() to malfunction with named UNIX sockets (ie: haproxy -x CLI option). To fix this, we slightly modify the check around the temp suffix in sock_unix_addrcmp(): we perform the suffix check even if one of the paths is lacking the temp suffix (with proper precautions). Now the function is able to match: - finalname x finalname - tempname x tempname - finalname x tempname That is: /tmp/test == /tmp/test.1288.tmp == /tmp/test.X.tmp It should be backported up to 2.4 --- diff --git a/src/sock_unix.c b/src/sock_unix.c index 8a840fe398..d549684c57 100644 --- a/src/sock_unix.c +++ b/src/sock_unix.c @@ -93,7 +93,21 @@ int sock_unix_addrcmp(const struct sockaddr_storage *a, const struct sockaddr_st /* Now we have a difference. It's OK if they are within or after a * sequence of digits following a dot, and are followed by ".tmp". + * + * make sure to perform the check against tempname if the compared + * string is in "final" format (does not end with ".XXXX.tmp"). + * + * Examples: + * /tmp/test matches with /tmp/test.1822.tmp + * /tmp/test.1822.tmp matches with /tmp/test.XXXX.tmp */ + if (au->sun_path[idx] == 0 || bu->sun_path[idx] == 0) { + if (au->sun_path[idx] == '.' || bu->sun_path[idx] == '.') + dot = idx; /* try to match against temp path */ + else + return -1; /* invalid temp path */ + } + if (!dot) return -1;