The 'struct sockaddr_un' only allows 108 bytes for the socket
path. Currently QEMU uses snprintf() and so silently truncates
the socket path provided by the user. This is undesirable because
the user will then be unable to connect to the path they asked
for. This change makes QEMU bounds check and report an explicit
error message.
Signed-off-by: Daniel P. Berrange <berra...@redhat.com>
---
util/qemu-sockets.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/util/qemu-sockets.c b/util/qemu-sockets.c
index d8183f7..e249dbe 100644
--- a/util/qemu-sockets.c
+++ b/util/qemu-sockets.c
@@ -855,6 +855,12 @@ static int unix_listen_saddr(UnixSocketAddress *saddr,
memset(&un, 0, sizeof(un));
un.sun_family = AF_UNIX;
if (saddr->path && strlen(saddr->path)) {
+ if (strlen(saddr->path) > sizeof(un.sun_path)) {
+ error_setg(errp, "UNIX socket path '%s' is too long", saddr->path);
+ error_append_hint(errp, "Path must be less than %zu bytes\n",
+ sizeof(un.sun_path));
+ return -1;
+ }
snprintf(un.sun_path, sizeof(un.sun_path), "%s", saddr->path);
} else {
const char *tmpdir = getenv("TMPDIR");
--
2.9.3
