On Tue, 3 Dec 2013 10:28:42 +0900 Ryusuke Konishi <konishi.ryusuke@xxxxxxxxxxxxx> wrote: > The current sheepdog driver still has two buffer overrun issues due to > unsafe strncpy uses for the pathname buffer of unix domain socket: > > 1) The size of "sun_path" string buffer of "sockaddr_un" structure is > 108 bytes, however, UNIX_PATH_MAX macro is locally defined as 109. > So, the following strncpy use at connect_to_sdog_unix function > still can be filled without a terminating null byte. > > strncpy(un.sun_path, path, UNIX_PATH_MAX - 1); > > 2) The following use of strncpy at sd_open function also has a buffer > overrun issue because the size of ai->uds_path is the same as > UNIX_PATH_MAX. > > strncpy(ai->uds_path, result, UNIX_PATH_MAX); > > Moreover, the local definition of UNIX_PATH_MAX, which gives the > buffer size of unix domain socket pathname, is confusing. It is > traditionally used to define the size of "sun_path" string buffer of > "sockaddr_un", which is 108 bytes including a terminating null byte, > but this local macro sets it to 109 bytes. > > This patch fixes up these issues. > > Signed-off-by: Ryusuke Konishi <konishi.ryusuke@xxxxxxxxxxxxx> > Cc: Hitoshi Mitake <mitake.hitoshi@xxxxxxxxxxxxx> > --- > usr/bs_sheepdog.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe stgt" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html