Date: Thu, 10 Feb 2011 00:20:57 +0000 (UTC) From: Max Laier <mlaier@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-7@freebsd.org Subject: svn commit: r218502 - stable/7/sys/kern Message-ID: <201102100020.p1A0KvmS002874@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: mlaier Date: Thu Feb 10 00:20:56 2011 New Revision: 218502 URL: http://svn.freebsd.org/changeset/base/218502 Log: MFH: r180238 Use bcopy instead of strlcpy in uipc_bind and unp_connect, since soun->sun_path isn't a null-terminated string. As UNIX(4) states, "the terminating NUL is not part of the address." Since strlcpy has to return "the total length of the string [it] tried to create," it walks off the end of soun->sun_path looking for a \0. This reverts r105332. Modified: stable/7/sys/kern/uipc_usrreq.c Directory Properties: stable/7/sys/ (props changed) stable/7/sys/cddl/contrib/opensolaris/ (props changed) stable/7/sys/contrib/dev/acpica/ (props changed) stable/7/sys/contrib/pf/ (props changed) Modified: stable/7/sys/kern/uipc_usrreq.c ============================================================================== --- stable/7/sys/kern/uipc_usrreq.c Thu Feb 10 00:05:11 2011 (r218501) +++ stable/7/sys/kern/uipc_usrreq.c Thu Feb 10 00:20:56 2011 (r218502) @@ -421,7 +421,8 @@ uipc_bind(struct socket *so, struct sock UNP_PCB_UNLOCK(unp); buf = malloc(namelen + 1, M_TEMP, M_WAITOK); - strlcpy(buf, soun->sun_path, namelen + 1); + bcopy(soun->sun_path, buf, namelen); + buf[namelen] = 0; restart: vfslocked = 0; @@ -1144,7 +1145,8 @@ unp_connect(struct socket *so, struct so len = nam->sa_len - offsetof(struct sockaddr_un, sun_path); if (len <= 0) return (EINVAL); - strlcpy(buf, soun->sun_path, len + 1); + bcopy(soun->sun_path, buf, len); + buf[len] = 0; UNP_PCB_LOCK(unp); if (unp->unp_flags & UNP_CONNECTING) {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201102100020.p1A0KvmS002874>