Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 15 Jun 2017 04:37:23 +0000 (UTC)
From:      Xin LI <delphij@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org
Subject:   svn commit: r319966 - stable/10/usr.sbin/rpc.lockd
Message-ID:  <201706150437.v5F4bNK6066449@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: delphij
Date: Thu Jun 15 04:37:23 2017
New Revision: 319966
URL: https://svnweb.freebsd.org/changeset/base/319966

Log:
  MFC r319852:
  
  Fix buffer lengths.
  
  After r319369, the RPC code validates caller supplied buffer length in
  taddr2uaddr.  When no -h is specified, the sizeof(ai_addr) is used,
  which is always smaller than the required size and therefore uaddr
  would be NULL, causing the kernel to copyin() from userland NULL
  and fail with EFAULT.

Modified:
  stable/10/usr.sbin/rpc.lockd/lockd.c
Directory Properties:
  stable/10/   (props changed)

Modified: stable/10/usr.sbin/rpc.lockd/lockd.c
==============================================================================
--- stable/10/usr.sbin/rpc.lockd/lockd.c	Thu Jun 15 03:58:23 2017	(r319965)
+++ stable/10/usr.sbin/rpc.lockd/lockd.c	Thu Jun 15 04:37:23 2017	(r319966)
@@ -906,8 +906,7 @@ lookup_addresses(struct netconfig *nconf)
 						sin->sin_port = htons(0);
 						sin->sin_addr.s_addr = htonl(INADDR_ANY);
 						res->ai_addr = (struct sockaddr*) sin;
-						res->ai_addrlen = (socklen_t)
-						    sizeof(res->ai_addr);
+						res->ai_addrlen = sizeof(struct sockaddr_in);
 						break;
 					case AF_INET6:
 						sin6 = malloc(sizeof(struct sockaddr_in6));
@@ -917,7 +916,7 @@ lookup_addresses(struct netconfig *nconf)
 						sin6->sin6_port = htons(0);
 						sin6->sin6_addr = in6addr_any;
 						res->ai_addr = (struct sockaddr*) sin6;
-						res->ai_addrlen = (socklen_t) sizeof(res->ai_addr);
+						res->ai_addrlen = sizeof(struct sockaddr_in6);
 						break;
 					default:
 						break;
@@ -942,7 +941,7 @@ lookup_addresses(struct netconfig *nconf)
 			}
 		}
 
-		servaddr.len = servaddr.maxlen = res->ai_addr->sa_len;
+		servaddr.len = servaddr.maxlen = res->ai_addrlen;
 		servaddr.buf = res->ai_addr;
 		uaddr = taddr2uaddr(nconf, &servaddr);

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201706150437.v5F4bNK6066449>