Hi Alan, thanks for the review.
On Thu, Mar 27, 2014 at 7:31 PM, Alan Bateman <alan.bate...@oracle.com> wrote: > On 27/03/2014 18:08, Volker Simonis wrote: >> >> Hi, >> >> a security audit for the PPC64/AIX port revealed an unsecure useage of >> 'strcpy' in Java_sun_tools_attach_AixVirtualMachine_connect(). Because >> the same coding is also used in the Linux and BSD implementations, the >> following change fixes them all together: >> >> http://cr.openjdk.java.net/~simonis/webrevs/8038233/ >> https://bugs.openjdk.java.net/browse/JDK-8038233 >> >> Compiled and tested (with the com/sun/jdi, com/sun/tools/attach, >> com/sun/management and sun/management JTreg tests) on Linux, MacOS X >> and AIX. >> >> Please notice that this fix is also intended for backporting tu 8u. >> > As we now have 3 implementations using socket pairs then there might be an > opportunity to consolidate the implementations, not for this patch of > course. > I agree, there's a lot of common code in the three implementations. > Your changes looks okay and it's good to memset the sockaddr_un structure. > As regards the issue is a concern or not then it's important to note thaht > the Attach API is in tools.jar, it's not in a JRE build. Also an attach > requires a Permission check if running with a security manager and I likely > vert rare for tools to do this. Also to cause a problem then it would > require the temporary directory to be unusually long. > You're right. I was initially concerned a little more because the Linux implementation also uses the process' current working directory. But that's just for the attach file, not for the actual sockets - so no problem. Regards, Volker > -Alan.
