From 9d77679a40beb77abbb5c17a01d14577a3e24c59 Mon Sep 17 00:00:00 2001 From: Conrad Meyer Date: Wed, 20 Apr 2016 05:02:13 +0000 Subject: [PATCH] kgssapi(4): Don't allow user-provided arguments to overrun stack buffer An over-long path argument to gssd_syscall could overrun the stack sockaddr_un buffer. Fix gssd_syscall to not permit that. If an over-long path is provided, gssd_syscall now returns EINVAL. It looks like PRIV_NFS_DAEMON isn't granted anywhere, so my best guess is that this is likely only triggerable by root. Reported by: Coverity CID: 1006751 Sponsored by: EMC / Isilon Storage Division --- sys/kgssapi/gss_impl.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/sys/kgssapi/gss_impl.c b/sys/kgssapi/gss_impl.c index 38930d77b520..dcb3c7d05547 100644 --- a/sys/kgssapi/gss_impl.c +++ b/sys/kgssapi/gss_impl.c @@ -104,10 +104,12 @@ sys_gssd_syscall(struct thread *td, struct gssd_syscall_args *uap) error = copyinstr(uap->path, path, sizeof(path), NULL); if (error) return (error); + if (strlen(path) + 1 > sizeof(sun.sun_path)) + return (EINVAL); if (path[0] != '\0') { sun.sun_family = AF_LOCAL; - strcpy(sun.sun_path, path); + strlcpy(sun.sun_path, path, sizeof(sun.sun_path)); sun.sun_len = SUN_LEN(&sun); nconf = getnetconfigent("local");