diff options
author | emaste <emaste@FreeBSD.org> | 2008-07-03 23:26:10 +0000 |
---|---|---|
committer | emaste <emaste@FreeBSD.org> | 2008-07-03 23:26:10 +0000 |
commit | 240825654b391ec4881cb7faaeaae4ec983bb980 (patch) | |
tree | dacc78ee8dca28200324cec99bfde5c5e2d313b8 /sys/kern/uipc_usrreq.c | |
parent | a47dd1888d3c3115651e4eb66c821d2bd55fd087 (diff) | |
download | FreeBSD-src-240825654b391ec4881cb7faaeaae4ec983bb980.zip FreeBSD-src-240825654b391ec4881cb7faaeaae4ec983bb980.tar.gz |
Use bcopy instead of strlcpy in uipc_bind and unp_connect, since
soun->sun_path isn't a null-terminated string. As UNIX(4) states, "the
terminating NUL is not part of the address." Since strlcpy has to return
"the total length of the string [it] tried to create," it walks off the end
of soun->sun_path looking for a \0.
This reverts r105332.
Reported by: Ryan Stone
Diffstat (limited to 'sys/kern/uipc_usrreq.c')
-rw-r--r-- | sys/kern/uipc_usrreq.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/sys/kern/uipc_usrreq.c b/sys/kern/uipc_usrreq.c index f5ac25c..4f7333d 100644 --- a/sys/kern/uipc_usrreq.c +++ b/sys/kern/uipc_usrreq.c @@ -416,7 +416,8 @@ uipc_bind(struct socket *so, struct sockaddr *nam, struct thread *td) UNP_PCB_UNLOCK(unp); buf = malloc(namelen + 1, M_TEMP, M_WAITOK); - strlcpy(buf, soun->sun_path, namelen + 1); + bcopy(soun->sun_path, buf, namelen); + buf[namelen] = 0; restart: vfslocked = 0; @@ -1129,7 +1130,8 @@ unp_connect(struct socket *so, struct sockaddr *nam, struct thread *td) len = nam->sa_len - offsetof(struct sockaddr_un, sun_path); if (len <= 0) return (EINVAL); - strlcpy(buf, soun->sun_path, len + 1); + bcopy(soun->sun_path, buf, len); + buf[len] = 0; UNP_PCB_LOCK(unp); if (unp->unp_flags & UNP_CONNECTING) { |