Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 4 Oct 2011 19:07:39 +0000 (UTC)
From:      Colin Percival <cperciva@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org
Subject:   svn commit: r226023 - head/sys/compat/linux releng/7.3 releng/7.3/sys/compat/linux releng/7.3/sys/conf releng/7.4 releng/7.4/sys/compat/linux releng/7.4/sys/conf releng/8.1 releng/8.1/sys/compat/li...
Message-ID:  <201110041907.p94J7dSw075309@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: cperciva
Date: Tue Oct  4 19:07:38 2011
New Revision: 226023
URL: http://svn.freebsd.org/changeset/base/226023

Log:
  Fix a bug in UNIX socket handling in the linux emulator which was
  exposed by the security fix in FreeBSD-SA-11:05.unix.
  
  Approved by:	so (cperciva)
  Approved by:	re (kib)
  Security:	Related to FreeBSD-SA-11:05.unix, but not actually
  		a security fix.

Modified:
  stable/8/sys/compat/linux/linux_socket.c

Changes in other areas also in this revision:
Modified:
  head/sys/compat/linux/linux_socket.c
  releng/7.3/UPDATING
  releng/7.3/sys/compat/linux/linux_socket.c
  releng/7.3/sys/conf/newvers.sh
  releng/7.4/UPDATING
  releng/7.4/sys/compat/linux/linux_socket.c
  releng/7.4/sys/conf/newvers.sh
  releng/8.1/UPDATING
  releng/8.1/sys/compat/linux/linux_socket.c
  releng/8.1/sys/conf/newvers.sh
  releng/8.2/UPDATING
  releng/8.2/sys/compat/linux/linux_socket.c
  releng/8.2/sys/conf/newvers.sh
  stable/7/sys/compat/linux/linux_socket.c
  stable/9/sys/compat/linux/linux_socket.c

Modified: stable/8/sys/compat/linux/linux_socket.c
==============================================================================
--- stable/8/sys/compat/linux/linux_socket.c	Tue Oct  4 18:45:29 2011	(r226022)
+++ stable/8/sys/compat/linux/linux_socket.c	Tue Oct  4 19:07:38 2011	(r226023)
@@ -103,6 +103,7 @@ do_sa_get(struct sockaddr **sap, const s
 	int oldv6size;
 	struct sockaddr_in6 *sin6;
 #endif
+	int namelen;
 
 	if (*osalen < 2 || *osalen > UCHAR_MAX || !osa)
 		return (EINVAL);
@@ -165,6 +166,20 @@ do_sa_get(struct sockaddr **sap, const s
 		}
 	}
 
+	if ((bdom == AF_LOCAL) && (*osalen > sizeof(struct sockaddr_un))) {
+		for (namelen = 0;
+		    namelen < *osalen - offsetof(struct sockaddr_un, sun_path);
+		    namelen++)
+			if (!((struct sockaddr_un *)kosa)->sun_path[namelen])
+				break;
+		if (namelen + offsetof(struct sockaddr_un, sun_path) >
+		    sizeof(struct sockaddr_un)) {
+			error = EINVAL;
+			goto out;
+		}
+		alloclen = sizeof(struct sockaddr_un);
+	}
+
 	sa = (struct sockaddr *) kosa;
 	sa->sa_family = bdom;
 	sa->sa_len = alloclen;



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201110041907.p94J7dSw075309>