From d5c2c66dba17a9584ff6d8c929bc198a3468f87f Mon Sep 17 00:00:00 2001 From: Xin LI Date: Mon, 12 Jun 2017 09:11:31 +0000 Subject: [PATCH] Fix buffer lengths. After r319369, the RPC code validates caller supplied buffer length in taddr2uaddr. When no -h is specified, the sizeof(ai_addr) is used, which is always smaller than the required size and therefore uaddr would be NULL, causing the kernel to copyin() from userland NULL and fail with EFAULT. Reviewed by: kevlo (via Telegram) MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D11151 --- usr.sbin/rpc.lockd/lockd.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/usr.sbin/rpc.lockd/lockd.c b/usr.sbin/rpc.lockd/lockd.c index 88b19b71e2bb..e021f6fb16b0 100644 --- a/usr.sbin/rpc.lockd/lockd.c +++ b/usr.sbin/rpc.lockd/lockd.c @@ -902,8 +902,7 @@ lookup_addresses(struct netconfig *nconf) sin->sin_port = htons(0); sin->sin_addr.s_addr = htonl(INADDR_ANY); res->ai_addr = (struct sockaddr*) sin; - res->ai_addrlen = (socklen_t) - sizeof(res->ai_addr); + res->ai_addrlen = sizeof(struct sockaddr_in); break; case AF_INET6: sin6 = malloc(sizeof(struct sockaddr_in6)); @@ -913,7 +912,7 @@ lookup_addresses(struct netconfig *nconf) sin6->sin6_port = htons(0); sin6->sin6_addr = in6addr_any; res->ai_addr = (struct sockaddr*) sin6; - res->ai_addrlen = (socklen_t) sizeof(res->ai_addr); + res->ai_addrlen = sizeof(struct sockaddr_in6); break; default: break; @@ -938,7 +937,7 @@ lookup_addresses(struct netconfig *nconf) } } - servaddr.len = servaddr.maxlen = res->ai_addr->sa_len; + servaddr.len = servaddr.maxlen = res->ai_addrlen; servaddr.buf = res->ai_addr; uaddr = taddr2uaddr(nconf, &servaddr);