Bug 31507
| Summary: | Risk of buffer overflow in struct sockaddr_un | ||
|---|---|---|---|
| Product: | Base System | Reporter: | stas <stas> |
| Component: | bin | Assignee: | freebsd-bugs (Nobody) <bugs> |
| Status: | Closed FIXED | ||
| Severity: | Affects Only Me | ||
| Priority: | Normal | ||
| Version: | 4.1-RELEASE | ||
| Hardware: | Any | ||
| OS: | Any | ||
<<On Fri, 26 Oct 2001 17:03:13 +0600 (YEKST), stas@grumbler.org said: > There programmer may use folowing code: > struct sockaddr_un server; > #ifdef MAX_SUN_PATH > strncpy(server.sun_path, file_fifo, MAX_SUN_PATH); > #else > strncpy(server.sun_path, file_fifo, 104); /* or other platform-depended value */ > #endif No, the correct code would ALWAYS be: strncpy(server.sun_path, file_fifo, sizeof server.sun_path); POSIX says: # Applications should not assume a particular length for sun_path or # assume that it can hold {_POSIX_PATH_MAX} characters (255). -GAWollman State Changed From-To: open->closed Clients of this interface are expected to use the sizeof operator. |
In the sys/un.h sockaddr_un declared as: /* * Definitions for UNIX IPC domain. */ struct sockaddr_un { u_char sun_len; /* sockaddr len including null */ u_char sun_family; /* AF_UNIX */ char sun_path[104]; /* path name (gag) */ }; In array size present numerical constant vith value very less than the PATH_MAX constant. Fix: Apply this path #ifdef MAX_SUN_PATHd.org/pub/FreeBSD/branches/-current/src/sys/sys/un.h: There programmer may use folowing code: struct sockaddr_un server; #ifdef MAX_SUN_PATH strncpy(server.sun_path, file_fifo, MAX_SUN_PATH); #else strncpy(server.sun_path, file_fifo, 104); /* or other platform-depended value */ #endif--gwRtvQCv51KkPZp0Q59Mnv7GqKHDRiYRheyB7QS1us8WK6ZT Content-Type: text/plain; name="file.diff" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="file.diff" --- un.h.orig Fri Oct 26 16:17:01 2001 +++ un.h Fri Oct 26 16:17:01 2001 @@ -38,4 +38,5 @@ #define _SYS_UN_H_ +#define MAX_SUN_PATH 104 /* * Definitions for UNIX IPC domain. @@ -44,5 +45,5 @ u_char sun_len; /* sockaddr len including null */ u_char sun_family; /* AF_UNIX */ - char sun_path[104]; /* path name (gag) */ + char sun_path[MAX_SUN_PATH]; /* path name (gag) */ };