From: mame@...
Date: 2015-06-19T14:11:23+00:00
Subject: [ruby-core:69681] [Ruby trunk - Bug #11270] [Rejected] Coverity Scan warns out-of-bounds access in ext/socket

Issue #11270 has been updated by Yusuke Endoh.

Status changed from Open to Rejected

I talked with akr on twitter, and was convinced that `(void*)&arg.buf.addr == (void*)&arg.buf` was guaranteed.  So closing.

6.3.2.3 (7) says that a cast to `char *` yields a pointer to the lowest addressed byte of the object.  This indirectly guarantees the equality, I think.

```
A pointer to an object or incomplete type may be converted to a pointer to a different
object or incomplete type. If the resulting pointer is not correctly aligned for the
pointed-to type, the behavior is undefined. Otherwise, when converted back again, the
result shall compare equal to the original pointer. When a pointer to an object is
converted to a pointer to a character type, the result points to the lowest addressed byte of
the object. Successive increments of the result, up to the size of the object, yield pointers
to the remaining bytes of the object.
```

Thank you very much!

-- 
Yusuke Endoh <mame@ruby-lang.org>

----------------------------------------
Bug #11270: Coverity Scan warns out-of-bounds access in ext/socket
https://bugs.ruby-lang.org/issues/11270#change-53053

* Author: Yusuke Endoh
* Status: Rejected
* Priority: Normal
* Assignee: 
* ruby -v: 
* Backport: 2.0.0: UNKNOWN, 2.1: UNKNOWN, 2.2: UNKNOWN
----------------------------------------
Hello,

Coverity Scan warns ext/socket/init.c and raddrinfo.c.

`rsock_s_recvfrom` in ext/socket/init.c does:

    arg.alen = (socklen_t)sizeof(arg.buf);

then calls `rsock_io_socket_addrinfo`:

    return rb_assoc_new(str, rsock_io_socket_addrinfo(sock, &arg.buf.addr, arg.alen));

`rsock_io_socket_addrinfo` indirectly calls `init_addrinfo` in ext/socket/raddrinfo.c.
(`rsock_io_socket_addrinfo` -> `rsock_fd_socket_addrinfo` -> `rsock_addrinfo_new` -> `init_addrinfo`)

`init_addrinfo` does:

    memcpy((void *)&rai->addr, (void *)sa, len);

Note that `sa` is `&arg.buf.addr`, and `len` is `arg.alen`.  `&arg.buf.addr` is a pointer to sockaddr, and `arg.len` is `sizeof(union_sockaddr)`, not `sizeof(sockaddr)`, which is indeed inconsistent.

I don't think this inconsistency will cause actual harm, but it would be better to fix.

-- 
Yusuke Endoh <mame@ruby-lang.org>



-- 
https://bugs.ruby-lang.org/