diff options
| author | Colin Percival <cperciva@FreeBSD.org> | 2011-10-04 19:07:38 +0000 |
|---|---|---|
| committer | Colin Percival <cperciva@FreeBSD.org> | 2011-10-04 19:07:38 +0000 |
| commit | 5da3eb94fc6c44f333b318c7fd5cd37efea3a7d3 (patch) | |
| tree | 92dfae97850af8d9e9708521200ac72fee06be92 /sys/compat | |
| parent | 837b4d462d65a56f4b567e9c9339b282f8bdbd04 (diff) | |
| download | src-5da3eb94fc6c44f333b318c7fd5cd37efea3a7d3.tar.gz src-5da3eb94fc6c44f333b318c7fd5cd37efea3a7d3.zip | |
Fix a bug in UNIX socket handling in the linux emulator which was
exposed by the security fix in FreeBSD-SA-11:05.unix.
Approved by: so (cperciva)
Approved by: re (kib)
Security: Related to FreeBSD-SA-11:05.unix, but not actually
a security fix.
Notes
Notes:
svn path=/head/; revision=226023
Diffstat (limited to 'sys/compat')
| -rw-r--r-- | sys/compat/linux/linux_socket.c | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/sys/compat/linux/linux_socket.c b/sys/compat/linux/linux_socket.c index 7568c82f1523..a86a23fda5dc 100644 --- a/sys/compat/linux/linux_socket.c +++ b/sys/compat/linux/linux_socket.c @@ -104,6 +104,7 @@ do_sa_get(struct sockaddr **sap, const struct osockaddr *osa, int *osalen, int oldv6size; struct sockaddr_in6 *sin6; #endif + int namelen; if (*osalen < 2 || *osalen > UCHAR_MAX || !osa) return (EINVAL); @@ -166,6 +167,20 @@ do_sa_get(struct sockaddr **sap, const struct osockaddr *osa, int *osalen, } } + if ((bdom == AF_LOCAL) && (*osalen > sizeof(struct sockaddr_un))) { + for (namelen = 0; + namelen < *osalen - offsetof(struct sockaddr_un, sun_path); + namelen++) + if (!((struct sockaddr_un *)kosa)->sun_path[namelen]) + break; + if (namelen + offsetof(struct sockaddr_un, sun_path) > + sizeof(struct sockaddr_un)) { + error = EINVAL; + goto out; + } + alloclen = sizeof(struct sockaddr_un); + } + sa = (struct sockaddr *) kosa; sa->sa_family = bdom; sa->sa_len = alloclen; |