[PATCH] sockaddr.3type: BUGS: Document that libc should be fixed using a union

Mon Feb 6 11:55:12 GMT 2023

Hi Xi,

On 2/6/23 07:02, Xi Ruoyao wrote:
> On Sun, 2023-02-05 at 16:31 +0100, Alejandro Colomar via Libc-alpha wrote:
> 
>> The only correct way to use  different  types  in  an  API  is
>> through  a  union.
> 
> I don't think this statement is true (in general).  Technically we can
> write something like this:
> 
> struct sockaddr { ... };
> struct sockaddr_in { ... };
> struct sockaddr_in6 { ... };
> 
> int bind(int fd, const struct sockaddr *addr, socklen_t addrlen)
> {
>      if (addrlen < sizeof(struct sockaddr) {
>          errno = EINVAL;
>          return -1;
>      }
> 
>      /* cannot use "addr->sa_family" directly: it will be an UB */
>      sa_family_t sa_family;
>      memcpy(&sa_family, addr, sizeof(sa_family));
> 
>      switch (sa_family) {
>          case AF_INET:
>              return _do_bind_in(fd, (struct sockaddr_in *)addr, addrlen);
>          case AF_INET6:
>              return _do_bind_in6(fd, (struct sockaddr_in6 *)addr, addrlen);
>          /* more cases follow here */
>          default:
>              errno = EINVAL;
>              return -1;
>          }
>      }
> }
> 
> In this way we can use sockaddr_{in,in6,...} for bind() safely, as long
> as we can distinguish the "real" type of addr using the leading byte
> sequence (and the caller uses it carefully).

True; I hadn't thought of memcpy()ing the first member of the struct.  That's 
valid; overcomplicated but valid.

> 
> But obviously sockaddr_storage can't be distinguished here, so casting a
> struct sockaddr_stroage * to struct sockaddr * and passing it to bind()
> will still be wrong (unless we make sockaddr_storage an union or add
> [[gnu::may_alias]]).

But as you say, it still leaves us with a question.  What should one declare for 
passing to the standard APIs?  It can only be a union.  So we can either tell 
users to each create their own union, or we can make sockaddr_storage be a 
union.  The latter slightly violates POSIX due to namespaces as Rich noted, but 
that's a minor violation, and POSIX can be changed to accomodate for that.

If we change sockaddr_storage to be a union, we have two benefits:

-  Old code which uses sockaddr_storage is made conforming (non-UB) without 
modifying the source.
-  Users can inspect the structures.

If we don't, and deprecate sockaddr_storage, we should tell users to declare 
their own unions _and_ treat all these structures as black boxes which can only 
be read by memcpy()ing their contents.

Which of the two do we want?  I think fixing sockaddr_storage is simpler, and 
allows existing practice of reading these structures.  The other one just makes 
(or rather acknowledges, since it has always been like that) a lot of existing 
code invoke UB, and acknowledges that you can't safely use these structures 
without a lot of workarounding.

Cheers,

Alex

-- 
<http://www.alejandro-colomar.es/>
GPG key fingerprint: A9348594CE31283A826FBDD8D57633D441E25BB5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://sourceware.org/pipermail/libc-alpha/attachments/20230206/d90ff414/attachment-0001.sig>