svn commit: r226023 - head/sys/compat/linux releng/7.3 releng/7.3/sys/compat/linux releng/7.3/sys/conf releng/7.4 releng/7.4/sys/compat/linux releng/7.4/sys/conf releng/8.1 releng/8.1/sys/compat/li...

Colin Percival cperciva at FreeBSD.org
Tue Oct 4 19:07:40 UTC 2011 

Author: cperciva
Date: Tue Oct  4 19:07:38 2011
New Revision: 226023
URL: http://svn.freebsd.org/changeset/base/226023

Log:
  Fix a bug in UNIX socket handling in the linux emulator which was
  exposed by the security fix in FreeBSD-SA-11:05.unix.
  
  Approved by:	so (cperciva)
  Approved by:	re (kib)
  Security:	Related to FreeBSD-SA-11:05.unix, but not actually
  		a security fix.

Modified:
  stable/9/sys/compat/linux/linux_socket.c

Changes in other areas also in this revision:
Modified:
  head/sys/compat/linux/linux_socket.c
  releng/7.3/UPDATING
  releng/7.3/sys/compat/linux/linux_socket.c
  releng/7.3/sys/conf/newvers.sh
  releng/7.4/UPDATING
  releng/7.4/sys/compat/linux/linux_socket.c
  releng/7.4/sys/conf/newvers.sh
  releng/8.1/UPDATING
  releng/8.1/sys/compat/linux/linux_socket.c
  releng/8.1/sys/conf/newvers.sh
  releng/8.2/UPDATING
  releng/8.2/sys/compat/linux/linux_socket.c
  releng/8.2/sys/conf/newvers.sh
  stable/7/sys/compat/linux/linux_socket.c
  stable/8/sys/compat/linux/linux_socket.c

Modified: stable/9/sys/compat/linux/linux_socket.c
==============================================================================
--- stable/9/sys/compat/linux/linux_socket.c	Tue Oct  4 18:45:29 2011	(r226022)
+++ stable/9/sys/compat/linux/linux_socket.c	Tue Oct  4 19:07:38 2011	(r226023)
@@ -104,6 +104,7 @@ do_sa_get(struct sockaddr **sap, const s
 	int oldv6size;
 	struct sockaddr_in6 *sin6;
 #endif
+	int namelen;
 
 	if (*osalen < 2 || *osalen > UCHAR_MAX || !osa)
 		return (EINVAL);
@@ -166,6 +167,20 @@ do_sa_get(struct sockaddr **sap, const s
 		}
 	}
 
+	if ((bdom == AF_LOCAL) && (*osalen > sizeof(struct sockaddr_un))) {
+		for (namelen = 0;
+		    namelen < *osalen - offsetof(struct sockaddr_un, sun_path);
+		    namelen++)
+			if (!((struct sockaddr_un *)kosa)->sun_path[namelen])
+				break;
+		if (namelen + offsetof(struct sockaddr_un, sun_path) >
+		    sizeof(struct sockaddr_un)) {
+			error = EINVAL;
+			goto out;
+		}
+		alloclen = sizeof(struct sockaddr_un);
+	}
+
 	sa = (struct sockaddr *) kosa;
 	sa->sa_family = bdom;
 	sa->sa_len = alloclen;

More information about the svn-src-stable-9 mailing list