Handle non-NUL-terminated strings in SocketAddrUnix.

sunfishcode · sunfishcode · commit 4d56b59e6acf · 2025-03-03T08:40:43.000-08:00
Unix-domain socket address can be long enough that the NUL terminator does not fit. Handle this case by making `path()` return a `Cow<CStr>` and adding a NUL terminator as needed. Also add a `path_bytes()` function for returning the raw bytes. Fixes #1316.
diff --git a/src/backend/libc/net/addr.rs b/src/backend/libc/net/addr.rs
@@ -13,6 +13,8 @@ use {
     core::hash::{Hash, Hasher},
     core::slice,
 };
+#[cfg(all(unix, feature = "alloc"))]
+use {crate::ffi::CString, alloc::borrow::Cow};
 
 /// `struct sockaddr_un`
 #[cfg(unix)]
@@ -35,9 +37,12 @@ impl SocketAddrUnix {
     #[inline]
     fn _new(path: &CStr) -> io::Result<Self> {
         let mut unix = Self::init();
-        let bytes = path.to_bytes_with_nul();
+        let mut bytes = path.to_bytes_with_nul();
         if bytes.len() > unix.sun_path.len() {
-            return Err(io::Errno::NAMETOOLONG);
+            bytes = path.to_bytes(); // without NUL
+            if bytes.len() > unix.sun_path.len() {
+                return Err(io::Errno::NAMETOOLONG);
+            }
         }
         for (i, b) in bytes.iter().enumerate() {
             unix.sun_path[i] = *b as c::c_char;
@@ -129,12 +134,44 @@ impl SocketAddrUnix {
 
     /// For a filesystem path address, return the path.
     #[inline]
-    pub fn path(&self) -> Option<&CStr> {
+    #[cfg(feature = "alloc")]
+    #[cfg_attr(docsrs, doc(cfg(feature = "alloc")))]
+    pub fn path(&self) -> Option<Cow<CStr>> {
+        let bytes = self.bytes()?;
+        if !bytes.is_empty() && bytes[0] != 0 {
+            if self.unix.sun_path.len() == bytes.len() {
+                self.path_with_termination(bytes)
+            } else {
+                // SAFETY: `from_bytes_with_nul_unchecked` since the string is
+                // NUL-terminated.
+                Some(unsafe { CStr::from_bytes_with_nul_unchecked(bytes) }.into())
+            }
+        } else {
+            None
+        }
+    }
+
+    /// If the `sun_path` field is not NUL-terminated, terminate it.
+    #[cfg(feature = "alloc")]
+    fn path_with_termination(&self, bytes: &[u8]) -> Option<Cow<CStr>> {
+        let mut owned = bytes.to_owned();
+        owned.push(b'\0');
+        Some(CString::from_vec_with_nul(owned).unwrap().into())
+    }
+
+    /// For a filesystem path address, return the path as a byte sequence,
+    /// excluding the NUL terminator.
+    #[inline]
+    pub fn path_bytes(&self) -> Option<&[u8]> {
         let bytes = self.bytes()?;
         if !bytes.is_empty() && bytes[0] != 0 {
-            // SAFETY: `from_bytes_with_nul_unchecked` since the string is
-            // NUL-terminated.
-            Some(unsafe { CStr::from_bytes_with_nul_unchecked(bytes) })
+            if self.unix.sun_path.len() == self.len() - offsetof_sun_path() {
+                // There is no NUL terminator.
+                Some(bytes)
+            } else {
+                // Remove the NUL terminator.
+                Some(&bytes[..bytes.len() - 1])
+            }
         } else {
             None
         }
diff --git a/src/backend/linux_raw/net/addr.rs b/src/backend/linux_raw/net/addr.rs
@@ -14,6 +14,8 @@ use crate::{io, path};
 use core::cmp::Ordering;
 use core::hash::{Hash, Hasher};
 use core::{fmt, slice};
+#[cfg(feature = "alloc")]
+use {crate::ffi::CString, alloc::borrow::Cow};
 
 /// `struct sockaddr_un`
 #[derive(Clone)]
@@ -33,9 +35,12 @@ impl SocketAddrUnix {
     #[inline]
     fn _new(path: &CStr) -> io::Result<Self> {
         let mut unix = Self::init();
-        let bytes = path.to_bytes_with_nul();
+        let mut bytes = path.to_bytes_with_nul();
         if bytes.len() > unix.sun_path.len() {
-            return Err(io::Errno::NAMETOOLONG);
+            bytes = path.to_bytes(); // without NUL
+            if bytes.len() > unix.sun_path.len() {
+                return Err(io::Errno::NAMETOOLONG);
+            }
         }
         for (i, b) in bytes.iter().enumerate() {
             unix.sun_path[i] = bitcast!(*b);
@@ -91,12 +96,44 @@ impl SocketAddrUnix {
 
     /// For a filesystem path address, return the path.
     #[inline]
-    pub fn path(&self) -> Option<&CStr> {
+    #[cfg(feature = "alloc")]
+    #[cfg_attr(docsrs, doc(cfg(feature = "alloc")))]
+    pub fn path(&self) -> Option<Cow<CStr>> {
         let bytes = self.bytes()?;
         if !bytes.is_empty() && bytes[0] != 0 {
-            // SAFETY: `from_bytes_with_nul_unchecked` since the string is
-            // NUL-terminated.
-            Some(unsafe { CStr::from_bytes_with_nul_unchecked(bytes) })
+            if self.unix.sun_path.len() == bytes.len() {
+                self.path_with_termination(bytes)
+            } else {
+                // SAFETY: `from_bytes_with_nul_unchecked` since the string is
+                // NUL-terminated.
+                Some(unsafe { CStr::from_bytes_with_nul_unchecked(bytes) }.into())
+            }
+        } else {
+            None
+        }
+    }
+
+    /// If the `sun_path` field is not NUL-terminated, terminate it.
+    #[cfg(feature = "alloc")]
+    fn path_with_termination(&self, bytes: &[u8]) -> Option<Cow<CStr>> {
+        let mut owned = bytes.to_owned();
+        owned.push(b'\0');
+        Some(CString::from_vec_with_nul(owned).unwrap().into())
+    }
+
+    /// For a filesystem path address, return the path as a byte sequence,
+    /// excluding the NUL terminator.
+    #[inline]
+    pub fn path_bytes(&self) -> Option<&[u8]> {
+        let bytes = self.bytes()?;
+        if !bytes.is_empty() && bytes[0] != 0 {
+            if self.unix.sun_path.len() == self.len() - offsetof_sun_path() {
+                // There is no NUL terminator.
+                Some(bytes)
+            } else {
+                // Remove the NUL terminator.
+                Some(&bytes[..bytes.len() - 1])
+            }
         } else {
             None
         }
diff --git a/tests/net/addr.rs b/tests/net/addr.rs
@@ -31,19 +31,19 @@ fn test_unix_addr() {
 
     assert_eq!(
         SocketAddrUnix::new("/").unwrap().path().unwrap(),
-        cstr!("/")
+        cstr!("/").into()
     );
     assert_eq!(
         SocketAddrUnix::new("//").unwrap().path().unwrap(),
-        cstr!("//")
+        cstr!("//").into()
     );
     assert_eq!(
         SocketAddrUnix::new("/foo/bar").unwrap().path().unwrap(),
-        cstr!("/foo/bar")
+        cstr!("/foo/bar").into()
     );
     assert_eq!(
         SocketAddrUnix::new("foo").unwrap().path().unwrap(),
-        cstr!("foo")
+        cstr!("foo").into()
     );
     SocketAddrUnix::new("/foo\0/bar").unwrap_err();
     assert!(SocketAddrUnix::new("").unwrap().path().is_none());
diff --git a/tests/net/unix.rs b/tests/net/unix.rs
@@ -364,12 +364,21 @@ fn do_test_unix_msg_unconnected(addr: SocketAddrUnix) {
 #[cfg(not(any(target_os = "espidf", target_os = "redox", target_os = "wasi")))]
 #[test]
 fn test_unix_msg() {
+    use rustix::ffi::CString;
+    use std::os::unix::ffi::OsStrExt as _;
+
     crate::init();
 
     let tmpdir = tempfile::tempdir().unwrap();
     let path = tmpdir.path().join("scp_4804");
 
     let name = SocketAddrUnix::new(&path).unwrap();
+    assert_eq!(
+        name.path(),
+        Some(CString::new(path.as_os_str().as_bytes()).unwrap().into())
+    );
+    assert_eq!(name.path_bytes(), Some(path.as_os_str().as_bytes()));
+    assert!(!name.is_unnamed());
     do_test_unix_msg(name);
 
     unlinkat(CWD, path, AtFlags::empty()).unwrap();
@@ -379,12 +388,21 @@ fn test_unix_msg() {
 #[cfg(not(any(target_os = "espidf", target_os = "redox", target_os = "wasi")))]
 #[test]
 fn test_unix_msg_unconnected() {
+    use rustix::ffi::CString;
+    use std::os::unix::ffi::OsStrExt as _;
+
     crate::init();
 
     let tmpdir = tempfile::tempdir().unwrap();
     let path = tmpdir.path().join("scp_4804");
 
     let name = SocketAddrUnix::new(&path).unwrap();
+    assert_eq!(
+        name.path(),
+        Some(CString::new(path.as_os_str().as_bytes()).unwrap().into())
+    );
+    assert_eq!(name.path_bytes(), Some(path.as_os_str().as_bytes()));
+    assert!(!name.is_unnamed());
     do_test_unix_msg_unconnected(name);
 
     unlinkat(CWD, path, AtFlags::empty()).unwrap();
@@ -401,6 +419,8 @@ fn test_abstract_unix_msg() {
     let path = tmpdir.path().join("scp_4804");
 
     let name = SocketAddrUnix::new_abstract_name(path.as_os_str().as_bytes()).unwrap();
+    assert_eq!(name.abstract_name(), Some(path.as_os_str().as_bytes()));
+    assert!(!name.is_unnamed());
     do_test_unix_msg(name);
 }
 
@@ -416,6 +436,8 @@ fn test_abstract_unix_msg_unconnected() {
     let path = tmpdir.path().join("scp_4804");
 
     let name = SocketAddrUnix::new_abstract_name(path.as_os_str().as_bytes()).unwrap();
+    assert_eq!(name.abstract_name(), Some(path.as_os_str().as_bytes()));
+    assert!(!name.is_unnamed());
     do_test_unix_msg_unconnected(name);
 }
 
@@ -948,3 +970,34 @@ fn test_bind_unnamed_address() {
     assert_ne!(address.abstract_name(), None);
     assert_eq!(address.path(), None);
 }
+
+/// Test that names long enough to not have room for the NUL terminator are
+/// handled properly.
+#[test]
+fn test_long_named_address() {
+    use memoffset::span_of;
+    use rustix::ffi::CString;
+    use std::os::unix::ffi::OsStrExt;
+    use std::path::PathBuf;
+
+    let lens = [
+        span_of!(libc::sockaddr_un, sun_path).len(),
+        #[cfg(linux_kernel)]
+        span_of!(linux_raw_sys::net::sockaddr_un, sun_path).len(),
+    ];
+
+    for len in lens {
+        let path = PathBuf::from("a".repeat(len));
+        let name = SocketAddrUnix::new(&path).unwrap();
+        assert_eq!(
+            name.path(),
+            Some(CString::new(path.as_os_str().as_bytes()).unwrap().into())
+        );
+        assert_eq!(
+            name.path(),
+            Some(CString::new(path.as_os_str().as_bytes()).unwrap().into())
+        );
+        assert_eq!(name.path_bytes(), Some(path.as_os_str().as_bytes()));
+        assert!(!name.is_unnamed());
+    }
+}
diff --git a/tests/net/unix_alloc.rs b/tests/net/unix_alloc.rs
@@ -361,12 +361,21 @@ fn do_test_unix_msg_unconnected(addr: SocketAddrUnix) {
 #[cfg(not(any(target_os = "espidf", target_os = "redox", target_os = "wasi")))]
 #[test]
 fn test_unix_msg() {
+    use rustix::ffi::CString;
+    use std::os::unix::ffi::OsStrExt as _;
+
     crate::init();
 
     let tmpdir = tempfile::tempdir().unwrap();
     let path = tmpdir.path().join("scp_4804");
 
     let name = SocketAddrUnix::new(&path).unwrap();
+    assert_eq!(
+        name.path(),
+        Some(CString::new(path.as_os_str().as_bytes()).unwrap().into())
+    );
+    assert_eq!(name.path_bytes(), Some(path.as_os_str().as_bytes()));
+    assert!(!name.is_unnamed());
     do_test_unix_msg(name);
 
     unlinkat(CWD, path, AtFlags::empty()).unwrap();
@@ -376,12 +385,21 @@ fn test_unix_msg() {
 #[cfg(not(any(target_os = "espidf", target_os = "redox", target_os = "wasi")))]
 #[test]
 fn test_unix_msg_unconnected() {
+    use rustix::ffi::CString;
+    use std::os::unix::ffi::OsStrExt as _;
+
     crate::init();
 
     let tmpdir = tempfile::tempdir().unwrap();
     let path = tmpdir.path().join("scp_4804");
 
     let name = SocketAddrUnix::new(&path).unwrap();
+    assert_eq!(
+        name.path(),
+        Some(CString::new(path.as_os_str().as_bytes()).unwrap().into())
+    );
+    assert_eq!(name.path_bytes(), Some(path.as_os_str().as_bytes()));
+    assert!(!name.is_unnamed());
     do_test_unix_msg_unconnected(name);
 
     unlinkat(CWD, path, AtFlags::empty()).unwrap();
@@ -398,6 +416,8 @@ fn test_abstract_unix_msg() {
     let path = tmpdir.path().join("scp_4804");
 
     let name = SocketAddrUnix::new_abstract_name(path.as_os_str().as_bytes()).unwrap();
+    assert_eq!(name.abstract_name(), Some(path.as_os_str().as_bytes()));
+    assert!(!name.is_unnamed());
     do_test_unix_msg(name);
 }
 
@@ -413,6 +433,8 @@ fn test_abstract_unix_msg_unconnected() {
     let path = tmpdir.path().join("scp_4804");
 
     let name = SocketAddrUnix::new_abstract_name(path.as_os_str().as_bytes()).unwrap();
+    assert_eq!(name.abstract_name(), Some(path.as_os_str().as_bytes()));
+    assert!(!name.is_unnamed());
     do_test_unix_msg_unconnected(name);
 }
 
