Possible memory overrun and/or MALLOC api violation in getsockaddr()

[Matthew Dillon]

    From what I can tell getsockaddr() (kern/uipc_syscalls.c) is called 
    with a user-supplied length as its argument.  It checks for
    len > SOCK_MAXADDRLEN, but it does not check to see if the length is
    too small and it may MALLOC() a structure, 'sa', which is too small
    for the assignment or assignments it then proceeds to do.  e.g.
    'sa->sa_len = len'.  This could potentially assign a field that is
    beyond the malloc'd region.

    In particular, if you create a UNIX domain socket and bind(...) a 
    0-length structure, the malloc function will be called
    with a length of 0 and sa->sa_len will be assigned to the resulting
    memory.

    Now, due to the the way the allocator works there might be a minimum
    allocation anyway (there is in the old malloc, but I am not sure about
    the slab allocator), so this may or may not be a security issue, but it
    definitely looks like a rather serious API violation.

    If I understand sockaddr's properly, the minimum size is going to be
    offsetof(struct sockaddr, sa_data[0]), which is 2 bytes.  A check
    for this minimum should probably be added to getsockaddr().

					-Matt
					Matthew Dillon 
					<dillon at backplane.com>