[stgt] [PATCH] bs_sheepdog.c: fix up buffer overrun issues with unix domain socket

FUJITA Tomonori fujita.tomonori at lab.ntt.co.jp
Tue Dec 3 08:42:02 CET 2013

On Tue,  3 Dec 2013 10:28:42 +0900
Ryusuke Konishi <konishi.ryusuke at lab.ntt.co.jp> wrote:

> The current sheepdog driver still has two buffer overrun issues due to
> unsafe strncpy uses for the pathname buffer of unix domain socket:
> 1) The size of "sun_path" string buffer of "sockaddr_un" structure is
>    108 bytes, however, UNIX_PATH_MAX macro is locally defined as 109.
>    So, the following strncpy use at connect_to_sdog_unix function
>    still can be filled without a terminating null byte.
>       strncpy(un.sun_path, path, UNIX_PATH_MAX - 1);
> 2) The following use of strncpy at sd_open function also has a buffer
>    overrun issue because the size of ai->uds_path is the same as
>       strncpy(ai->uds_path, result, UNIX_PATH_MAX);
> Moreover, the local definition of UNIX_PATH_MAX, which gives the
> buffer size of unix domain socket pathname, is confusing.  It is
> traditionally used to define the size of "sun_path" string buffer of
> "sockaddr_un", which is 108 bytes including a terminating null byte,
> but this local macro sets it to 109 bytes.
> This patch fixes up these issues.
> Signed-off-by: Ryusuke Konishi <konishi.ryusuke at lab.ntt.co.jp>
> Cc: Hitoshi Mitake <mitake.hitoshi at lab.ntt.co.jp>
> ---
>  usr/bs_sheepdog.c |    6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)

Applied, thanks.
To unsubscribe from this list: send the line "unsubscribe stgt" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

More information about the stgt mailing list