Fix buffer lengths.
After r319369, the RPC code validates caller supplied buffer length in taddr2uaddr. When no -h is specified, the sizeof(ai_addr) is used, which is always smaller than the required size and therefore uaddr would be NULL, causing the kernel to copyin() from userland NULL and fail with EFAULT. Reviewed by: kevlo (via Telegram) MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D11151
This commit is contained in:
Xin LI
parent
12bbbbb254
commit
d5c2c66dba
@ -902,8 +902,7 @@ lookup_addresses(struct netconfig *nconf)
|
||||
sin->sin_port = htons(0);
|
||||
sin->sin_addr.s_addr = htonl(INADDR_ANY);
|
||||
res->ai_addr = (struct sockaddr*) sin;
|
||||
res->ai_addrlen = (socklen_t)
|
||||
sizeof(res->ai_addr);
|
||||
res->ai_addrlen = sizeof(struct sockaddr_in);
|
||||
break;
|
||||
case AF_INET6:
|
||||
sin6 = malloc(sizeof(struct sockaddr_in6));
|
||||
@ -913,7 +912,7 @@ lookup_addresses(struct netconfig *nconf)
|
||||
sin6->sin6_port = htons(0);
|
||||
sin6->sin6_addr = in6addr_any;
|
||||
res->ai_addr = (struct sockaddr*) sin6;
|
||||
res->ai_addrlen = (socklen_t) sizeof(res->ai_addr);
|
||||
res->ai_addrlen = sizeof(struct sockaddr_in6);
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
@ -938,7 +937,7 @@ lookup_addresses(struct netconfig *nconf)
|
||||
}
|
||||
}
|
||||
|
||||
servaddr.len = servaddr.maxlen = res->ai_addr->sa_len;
|
||||
servaddr.len = servaddr.maxlen = res->ai_addrlen;
|
||||
servaddr.buf = res->ai_addr;
|
||||
uaddr = taddr2uaddr(nconf, &servaddr);
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user