From owner-svn-src-all@FreeBSD.ORG Tue Oct 4 19:07:40 2011 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0B011106568D; Tue, 4 Oct 2011 19:07:40 +0000 (UTC) (envelope-from cperciva@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id D1F9F8FC14; Tue, 4 Oct 2011 19:07:39 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id p94J7d8V075305; Tue, 4 Oct 2011 19:07:39 GMT (envelope-from cperciva@svn.freebsd.org) Received: (from cperciva@localhost) by svn.freebsd.org (8.14.4/8.14.4/Submit) id p94J7dHA075303; Tue, 4 Oct 2011 19:07:39 GMT (envelope-from cperciva@svn.freebsd.org) Message-Id: <201110041907.p94J7dHA075303@svn.freebsd.org> From: Colin Percival Date: Tue, 4 Oct 2011 19:07:39 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org X-SVN-Group: stable-9 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r226023 - head/sys/compat/linux releng/7.3 releng/7.3/sys/compat/linux releng/7.3/sys/conf releng/7.4 releng/7.4/sys/compat/linux releng/7.4/sys/conf releng/8.1 releng/8.1/sys/compat/li... X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Oct 2011 19:07:40 -0000 Author: cperciva Date: Tue Oct 4 19:07:38 2011 New Revision: 226023 URL: http://svn.freebsd.org/changeset/base/226023 Log: Fix a bug in UNIX socket handling in the linux emulator which was exposed by the security fix in FreeBSD-SA-11:05.unix. Approved by: so (cperciva) Approved by: re (kib) Security: Related to FreeBSD-SA-11:05.unix, but not actually a security fix. Modified: stable/9/sys/compat/linux/linux_socket.c Changes in other areas also in this revision: Modified: head/sys/compat/linux/linux_socket.c releng/7.3/UPDATING releng/7.3/sys/compat/linux/linux_socket.c releng/7.3/sys/conf/newvers.sh releng/7.4/UPDATING releng/7.4/sys/compat/linux/linux_socket.c releng/7.4/sys/conf/newvers.sh releng/8.1/UPDATING releng/8.1/sys/compat/linux/linux_socket.c releng/8.1/sys/conf/newvers.sh releng/8.2/UPDATING releng/8.2/sys/compat/linux/linux_socket.c releng/8.2/sys/conf/newvers.sh stable/7/sys/compat/linux/linux_socket.c stable/8/sys/compat/linux/linux_socket.c Modified: stable/9/sys/compat/linux/linux_socket.c ============================================================================== --- stable/9/sys/compat/linux/linux_socket.c Tue Oct 4 18:45:29 2011 (r226022) +++ stable/9/sys/compat/linux/linux_socket.c Tue Oct 4 19:07:38 2011 (r226023) @@ -104,6 +104,7 @@ do_sa_get(struct sockaddr **sap, const s int oldv6size; struct sockaddr_in6 *sin6; #endif + int namelen; if (*osalen < 2 || *osalen > UCHAR_MAX || !osa) return (EINVAL); @@ -166,6 +167,20 @@ do_sa_get(struct sockaddr **sap, const s } } + if ((bdom == AF_LOCAL) && (*osalen > sizeof(struct sockaddr_un))) { + for (namelen = 0; + namelen < *osalen - offsetof(struct sockaddr_un, sun_path); + namelen++) + if (!((struct sockaddr_un *)kosa)->sun_path[namelen]) + break; + if (namelen + offsetof(struct sockaddr_un, sun_path) > + sizeof(struct sockaddr_un)) { + error = EINVAL; + goto out; + } + alloclen = sizeof(struct sockaddr_un); + } + sa = (struct sockaddr *) kosa; sa->sa_family = bdom; sa->sa_len = alloclen;