Re: [PATCH] bs_sheepdog.c: fix up buffer overrun issues with unix domain socket

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue,  3 Dec 2013 10:28:42 +0900
Ryusuke Konishi <konishi.ryusuke@xxxxxxxxxxxxx> wrote:

> The current sheepdog driver still has two buffer overrun issues due to
> unsafe strncpy uses for the pathname buffer of unix domain socket:
> 
> 1) The size of "sun_path" string buffer of "sockaddr_un" structure is
>    108 bytes, however, UNIX_PATH_MAX macro is locally defined as 109.
>    So, the following strncpy use at connect_to_sdog_unix function
>    still can be filled without a terminating null byte.
> 
>       strncpy(un.sun_path, path, UNIX_PATH_MAX - 1);
> 
> 2) The following use of strncpy at sd_open function also has a buffer
>    overrun issue because the size of ai->uds_path is the same as
>    UNIX_PATH_MAX.
> 
>       strncpy(ai->uds_path, result, UNIX_PATH_MAX);
> 
> Moreover, the local definition of UNIX_PATH_MAX, which gives the
> buffer size of unix domain socket pathname, is confusing.  It is
> traditionally used to define the size of "sun_path" string buffer of
> "sockaddr_un", which is 108 bytes including a terminating null byte,
> but this local macro sets it to 109 bytes.
> 
> This patch fixes up these issues.
> 
> Signed-off-by: Ryusuke Konishi <konishi.ryusuke@xxxxxxxxxxxxx>
> Cc: Hitoshi Mitake <mitake.hitoshi@xxxxxxxxxxxxx>
> ---
>  usr/bs_sheepdog.c |    6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)

Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe stgt" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Linux SCSI]     [Linux RAID]     [Linux Clusters]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]

  Powered by Linux