The 'struct sockaddr_un' only allows 108 bytes for the socket path. Currently QEMU uses snprintf() and so silently truncates the socket path provided by the user. This is undesirable because the user will then be unable to connect to the path they asked for. This change makes QEMU bounds check and report an explicit error message.
Signed-off-by: Daniel P. Berrange <berra...@redhat.com> --- util/qemu-sockets.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/util/qemu-sockets.c b/util/qemu-sockets.c index d8183f7..e249dbe 100644 --- a/util/qemu-sockets.c +++ b/util/qemu-sockets.c @@ -855,6 +855,12 @@ static int unix_listen_saddr(UnixSocketAddress *saddr, memset(&un, 0, sizeof(un)); un.sun_family = AF_UNIX; if (saddr->path && strlen(saddr->path)) { + if (strlen(saddr->path) > sizeof(un.sun_path)) { + error_setg(errp, "UNIX socket path '%s' is too long", saddr->path); + error_append_hint(errp, "Path must be less than %zu bytes\n", + sizeof(un.sun_path)); + return -1; + } snprintf(un.sun_path, sizeof(un.sun_path), "%s", saddr->path); } else { const char *tmpdir = getenv("TMPDIR"); -- 2.9.3