Fix a bug in UNIX socket handling in the linux emulator which was

exposed by the security fix in FreeBSD-SA-11:05.unix. Approved by: so (cperciva) Approved by: re (kib) Security: Related to FreeBSD-SA-11:05.unix, but not actually a security fix.
svn path=/head/; revision=226023
2011-10-04 19:07:38 +00:00 · 2011-10-04 19:07:38 +00:00 · 5da3eb94fc · 2020-12-20 02:59:44 +00:00
commit 5da3eb94fc
parent 837b4d462d
1 changed files with 15 additions and 0 deletions
--- a/sys/compat/linux/linux_socket.c
+++ b/sys/compat/linux/linux_socket.c
@ -104,6 +104,7 @@ do_sa_get(struct sockaddr **sap, const struct osockaddr *osa, int *osalen,
 	int oldv6size;
 	struct sockaddr_in6 *sin6;
 #endif
+	int namelen;

 	if (*osalen < 2 || *osalen > UCHAR_MAX || !osa)
 		return (EINVAL);
@ -166,6 +167,20 @@ do_sa_get(struct sockaddr **sap, const struct osockaddr *osa, int *osalen,
 		}
 	}

+	if ((bdom == AF_LOCAL) && (*osalen > sizeof(struct sockaddr_un))) {
+		for (namelen = 0;
+		    namelen < *osalen - offsetof(struct sockaddr_un, sun_path);
+		    namelen++)
+			if (!((struct sockaddr_un *)kosa)->sun_path[namelen])
+				break;
+		if (namelen + offsetof(struct sockaddr_un, sun_path) >
+		    sizeof(struct sockaddr_un)) {
+			error = EINVAL;
+			goto out;
+		}
+		alloclen = sizeof(struct sockaddr_un);
+	}
+
 	sa = (struct sockaddr *) kosa;
 	sa->sa_family = bdom;
 	sa->sa_len = alloclen;