svn commit: r319966 - stable/10/usr.sbin/rpc.lockd
Xin LI
delphij at FreeBSD.org
Thu Jun 15 04:37:24 UTC 2017
Author: delphij
Date: Thu Jun 15 04:37:23 2017
New Revision: 319966
URL: https://svnweb.freebsd.org/changeset/base/319966
Log:
MFC r319852:
Fix buffer lengths.
After r319369, the RPC code validates caller supplied buffer length in
taddr2uaddr. When no -h is specified, the sizeof(ai_addr) is used,
which is always smaller than the required size and therefore uaddr
would be NULL, causing the kernel to copyin() from userland NULL
and fail with EFAULT.
Modified:
stable/10/usr.sbin/rpc.lockd/lockd.c
Directory Properties:
stable/10/ (props changed)
Modified: stable/10/usr.sbin/rpc.lockd/lockd.c
==============================================================================
--- stable/10/usr.sbin/rpc.lockd/lockd.c Thu Jun 15 03:58:23 2017 (r319965)
+++ stable/10/usr.sbin/rpc.lockd/lockd.c Thu Jun 15 04:37:23 2017 (r319966)
@@ -906,8 +906,7 @@ lookup_addresses(struct netconfig *nconf)
sin->sin_port = htons(0);
sin->sin_addr.s_addr = htonl(INADDR_ANY);
res->ai_addr = (struct sockaddr*) sin;
- res->ai_addrlen = (socklen_t)
- sizeof(res->ai_addr);
+ res->ai_addrlen = sizeof(struct sockaddr_in);
break;
case AF_INET6:
sin6 = malloc(sizeof(struct sockaddr_in6));
@@ -917,7 +916,7 @@ lookup_addresses(struct netconfig *nconf)
sin6->sin6_port = htons(0);
sin6->sin6_addr = in6addr_any;
res->ai_addr = (struct sockaddr*) sin6;
- res->ai_addrlen = (socklen_t) sizeof(res->ai_addr);
+ res->ai_addrlen = sizeof(struct sockaddr_in6);
break;
default:
break;
@@ -942,7 +941,7 @@ lookup_addresses(struct netconfig *nconf)
}
}
- servaddr.len = servaddr.maxlen = res->ai_addr->sa_len;
+ servaddr.len = servaddr.maxlen = res->ai_addrlen;
servaddr.buf = res->ai_addr;
uaddr = taddr2uaddr(nconf, &servaddr);
More information about the svn-src-stable
mailing list