[stgt] [PATCH] bs_sheepdog.c: fix up buffer overrun issues with unix domain socket
FUJITA Tomonori
fujita.tomonori at lab.ntt.co.jp
Tue Dec 3 08:42:02 CET 2013
On Tue, 3 Dec 2013 10:28:42 +0900
Ryusuke Konishi <konishi.ryusuke at lab.ntt.co.jp> wrote:
> The current sheepdog driver still has two buffer overrun issues due to
> unsafe strncpy uses for the pathname buffer of unix domain socket:
>
> 1) The size of "sun_path" string buffer of "sockaddr_un" structure is
> 108 bytes, however, UNIX_PATH_MAX macro is locally defined as 109.
> So, the following strncpy use at connect_to_sdog_unix function
> still can be filled without a terminating null byte.
>
> strncpy(un.sun_path, path, UNIX_PATH_MAX - 1);
>
> 2) The following use of strncpy at sd_open function also has a buffer
> overrun issue because the size of ai->uds_path is the same as
> UNIX_PATH_MAX.
>
> strncpy(ai->uds_path, result, UNIX_PATH_MAX);
>
> Moreover, the local definition of UNIX_PATH_MAX, which gives the
> buffer size of unix domain socket pathname, is confusing. It is
> traditionally used to define the size of "sun_path" string buffer of
> "sockaddr_un", which is 108 bytes including a terminating null byte,
> but this local macro sets it to 109 bytes.
>
> This patch fixes up these issues.
>
> Signed-off-by: Ryusuke Konishi <konishi.ryusuke at lab.ntt.co.jp>
> Cc: Hitoshi Mitake <mitake.hitoshi at lab.ntt.co.jp>
> ---
> usr/bs_sheepdog.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe stgt" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
More information about the stgt
mailing list