Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 12 Jun 2017 09:11:31 +0000 (UTC)
From:      Xin LI <delphij@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r319852 - head/usr.sbin/rpc.lockd
Message-ID:  <201706120911.v5C9BVWG083697@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: delphij
Date: Mon Jun 12 09:11:31 2017
New Revision: 319852
URL: https://svnweb.freebsd.org/changeset/base/319852

Log:
  Fix buffer lengths.
  
  After r319369, the RPC code validates caller supplied buffer length in
  taddr2uaddr.  When no -h is specified, the sizeof(ai_addr) is used,
  which is always smaller than the required size and therefore uaddr
  would be NULL, causing the kernel to copyin() from userland NULL
  and fail with EFAULT.
  
  Reviewed by:	kevlo (via Telegram)
  MFC after:	3 days
  Differential Revision:	https://reviews.freebsd.org/D11151

Modified:
  head/usr.sbin/rpc.lockd/lockd.c

Modified: head/usr.sbin/rpc.lockd/lockd.c
==============================================================================
--- head/usr.sbin/rpc.lockd/lockd.c	Mon Jun 12 07:48:51 2017	(r319851)
+++ head/usr.sbin/rpc.lockd/lockd.c	Mon Jun 12 09:11:31 2017	(r319852)
@@ -902,8 +902,7 @@ lookup_addresses(struct netconfig *nconf)
 						sin->sin_port = htons(0);
 						sin->sin_addr.s_addr = htonl(INADDR_ANY);
 						res->ai_addr = (struct sockaddr*) sin;
-						res->ai_addrlen = (socklen_t)
-						    sizeof(res->ai_addr);
+						res->ai_addrlen = sizeof(struct sockaddr_in);
 						break;
 					case AF_INET6:
 						sin6 = malloc(sizeof(struct sockaddr_in6));
@@ -913,7 +912,7 @@ lookup_addresses(struct netconfig *nconf)
 						sin6->sin6_port = htons(0);
 						sin6->sin6_addr = in6addr_any;
 						res->ai_addr = (struct sockaddr*) sin6;
-						res->ai_addrlen = (socklen_t) sizeof(res->ai_addr);
+						res->ai_addrlen = sizeof(struct sockaddr_in6);
 						break;
 					default:
 						break;
@@ -938,7 +937,7 @@ lookup_addresses(struct netconfig *nconf)
 			}
 		}
 
-		servaddr.len = servaddr.maxlen = res->ai_addr->sa_len;
+		servaddr.len = servaddr.maxlen = res->ai_addrlen;
 		servaddr.buf = res->ai_addr;
 		uaddr = taddr2uaddr(nconf, &servaddr);

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201706120911.v5C9BVWG083697>