On Thu, Dec 05, 2013 at 05:25:21PM +0100, Wolfgang Solfrank wrote:
> For one thing, you append the trailing '\0' one byte beyond the
> end of the the now extended mbuf.
Atatched is a second attempt;
>
> In addition, there are other places where the additional byte
> needs to be accounted for, e.g. in makeun() within this file.
> Not sure whether there are others.
There is already a +1 in makeun.
*addrlen = nam->m_len + 1;
--
Emmanuel Dreyfus
m...@netbsd.org
Index: sys/kern/uipc_usrreq.c
===================================================================
RCS file: /cvsroot/src/sys/kern/uipc_usrreq.c,v
retrieving revision 1.148
diff -U8 -r1.148 uipc_usrreq.c
--- sys/kern/uipc_usrreq.c 29 Oct 2013 09:53:51 -0000 1.148
+++ sys/kern/uipc_usrreq.c 5 Dec 2013 16:40:22 -0000
@@ -343,25 +343,28 @@
if (unp->unp_conn && unp->unp_conn->unp_addr)
sun = unp->unp_conn->unp_addr;
} else {
if (unp->unp_addr)
sun = unp->unp_addr;
}
if (sun == NULL)
sun = &sun_noname;
- nam->m_len = sun->sun_len;
+
+ nam->m_len = sun->sun_len + 1; /* +1 for trailing \0 */
+
if (nam->m_len > MLEN && !ext) {
sounlock(so);
MEXTMALLOC(nam, MAXPATHLEN * 2, M_WAITOK);
solock(so);
ext = true;
} else {
KASSERT(nam->m_len <= MAXPATHLEN * 2);
memcpy(mtod(nam, void *), sun, (size_t)nam->m_len);
+ mtod(nam, char *)[nam->m_len - 1] = '\0';
break;
}
}
}
/*ARGSUSED*/
int
uipc_usrreq(struct socket *so, int req, struct mbuf *m, struct mbuf *nam,
