d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

kgssapi(4): Don't allow user-provided arguments to overrun stack buffer

Browse Source 
An over-long path argument to gssd_syscall could overrun the stack sockaddr_un
buffer.  Fix gssd_syscall to not permit that.

If an over-long path is provided, gssd_syscall now returns EINVAL.

It looks like PRIV_NFS_DAEMON isn't granted anywhere, so my best guess is that
this is likely only triggerable by root.

Reported by:	Coverity
CID:		1006751
Sponsored by:	EMC / Isilon Storage Division
This commit is contained in:
Conrad Meyer 2016-04-20 05:02:13 +00:00
parent b51230b720
commit 9d77679a40
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
sys/kgssapi/gss_impl.c
View File

@ -104,10 +104,12 @@ sys_gssd_syscall(struct thread *td, struct gssd_syscall_args *uap)
error = copyinstr(uap->path, path, sizeof(path), NULL);
if (error)
return (error);
if (strlen(path) + 1 > sizeof(sun.sun_path))
return (EINVAL);
if (path[0] != '\0') {
sun.sun_family = AF_LOCAL;
strcpy(sun.sun_path, path);
strlcpy(sun.sun_path, path, sizeof(sun.sun_path));
sun.sun_len = SUN_LEN(&sun);
nconf = getnetconfigent("local");