svn commit: r298338 - head/sys/kgssapi

[Conrad E. Meyer]

Author: cem
Date: Wed Apr 20 05:02:13 2016
New Revision: 298338
URL: https://svnweb.freebsd.org/changeset/base/298338

Log:
  kgssapi(4): Don't allow user-provided arguments to overrun stack buffer
  
  An over-long path argument to gssd_syscall could overrun the stack sockaddr_un
  buffer.  Fix gssd_syscall to not permit that.
  
  If an over-long path is provided, gssd_syscall now returns EINVAL.
  
  It looks like PRIV_NFS_DAEMON isn't granted anywhere, so my best guess is that
  this is likely only triggerable by root.
  
  Reported by:	Coverity
  CID:		1006751
  Sponsored by:	EMC / Isilon Storage Division

Modified:
  head/sys/kgssapi/gss_impl.c

Modified: head/sys/kgssapi/gss_impl.c
==============================================================================
--- head/sys/kgssapi/gss_impl.c	Wed Apr 20 04:50:33 2016	(r298337)
+++ head/sys/kgssapi/gss_impl.c	Wed Apr 20 05:02:13 2016	(r298338)
@@ -104,10 +104,12 @@ sys_gssd_syscall(struct thread *td, stru
 	error = copyinstr(uap->path, path, sizeof(path), NULL);
 	if (error)
 		return (error);
+	if (strlen(path) + 1 > sizeof(sun.sun_path))
+		return (EINVAL);
 
 	if (path[0] != '\0') {
 		sun.sun_family = AF_LOCAL;
-		strcpy(sun.sun_path, path);
+		strlcpy(sun.sun_path, path, sizeof(sun.sun_path));
 		sun.sun_len = SUN_LEN(&sun);
 		
 		nconf = getnetconfigent("local");