svn commit: r226023 - head/sys/compat/linux releng/7.3 releng/7.3/sys/compat/linux releng/7.3/sys/conf releng/7.4 releng/7.4/sys/compat/linux releng/7.4/sys/conf releng/8.1 releng/8.1/sys/compat/li...

Tue, 04 Oct 2011 12:09:24 -0700 

Author: cperciva
Date: Tue Oct  4 19:07:38 2011
New Revision: 226023
URL: http://svn.freebsd.org/changeset/base/226023

Log:
  Fix a bug in UNIX socket handling in the linux emulator which was
  exposed by the security fix in FreeBSD-SA-11:05.unix.
  
  Approved by:  so (cperciva)
  Approved by:  re (kib)
  Security:     Related to FreeBSD-SA-11:05.unix, but not actually
                a security fix.

Modified:
  head/sys/compat/linux/linux_socket.c

Changes in other areas also in this revision:
Modified:
  releng/7.3/UPDATING
  releng/7.3/sys/compat/linux/linux_socket.c
  releng/7.3/sys/conf/newvers.sh
  releng/7.4/UPDATING
  releng/7.4/sys/compat/linux/linux_socket.c
  releng/7.4/sys/conf/newvers.sh
  releng/8.1/UPDATING
  releng/8.1/sys/compat/linux/linux_socket.c
  releng/8.1/sys/conf/newvers.sh
  releng/8.2/UPDATING
  releng/8.2/sys/compat/linux/linux_socket.c
  releng/8.2/sys/conf/newvers.sh
  stable/7/sys/compat/linux/linux_socket.c
  stable/8/sys/compat/linux/linux_socket.c
  stable/9/sys/compat/linux/linux_socket.c

Modified: head/sys/compat/linux/linux_socket.c
==============================================================================
--- head/sys/compat/linux/linux_socket.c        Tue Oct  4 18:45:29 2011        
(r226022)
+++ head/sys/compat/linux/linux_socket.c        Tue Oct  4 19:07:38 2011        
(r226023)
@@ -104,6 +104,7 @@ do_sa_get(struct sockaddr **sap, const s
        int oldv6size;
        struct sockaddr_in6 *sin6;
 #endif
+       int namelen;
 
        if (*osalen < 2 || *osalen > UCHAR_MAX || !osa)
                return (EINVAL);
@@ -166,6 +167,20 @@ do_sa_get(struct sockaddr **sap, const s
                }
        }
 
+       if ((bdom == AF_LOCAL) && (*osalen > sizeof(struct sockaddr_un))) {
+               for (namelen = 0;
+                   namelen < *osalen - offsetof(struct sockaddr_un, sun_path);
+                   namelen++)
+                       if (!((struct sockaddr_un *)kosa)->sun_path[namelen])
+                               break;
+               if (namelen + offsetof(struct sockaddr_un, sun_path) >
+                   sizeof(struct sockaddr_un)) {
+                       error = EINVAL;
+                       goto out;
+               }
+               alloclen = sizeof(struct sockaddr_un);
+       }
+
        sa = (struct sockaddr *) kosa;
        sa->sa_family = bdom;
        sa->sa_len = alloclen;
_______________________________________________
svn-src-head@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"

Reply via email to