diff options
| author | ngie <ngie@FreeBSD.org> | 2016-05-13 08:25:06 +0000 |
|---|---|---|
| committer | ngie <ngie@FreeBSD.org> | 2016-05-13 08:25:06 +0000 |
| commit | 29310b2c8f33351be0a1fdf7ee237bc3ebc2991d (patch) | |
| tree | fd4039ca7dd089b8b2de97635d1fe61ee193ca4f /sys/kgssapi/gss_impl.c | |
| parent | 8d808d7b779a395d962236552309cbafe956a3d2 (diff) | |
| download | FreeBSD-src-29310b2c8f33351be0a1fdf7ee237bc3ebc2991d.zip FreeBSD-src-29310b2c8f33351be0a1fdf7ee237bc3ebc2991d.tar.gz | |
MFC r295134,r298338,r298655:
r295134 (by cem):
kcrypto_aes: Use separate sessions for AES and SHA1
Some hardware supports AES acceleration but not SHA1, e.g., AES-NI
extensions. It is useful to have accelerated AES even if SHA1 must be
software.
Suggested by: asomers
r298338 (by cem):
kgssapi(4): Don't allow user-provided arguments to overrun stack buffer
An over-long path argument to gssd_syscall could overrun the stack sockaddr_un
buffer. Fix gssd_syscall to not permit that.
If an over-long path is provided, gssd_syscall now returns EINVAL.
It looks like PRIV_NFS_DAEMON isn't granted anywhere, so my best guess is that
this is likely only triggerable by root.
CID: 1006751
r298655 (by cem):
kgssapi: Don't leak memory in error cases
CIDs: 1007046, 1007047, 1007048
Diffstat (limited to 'sys/kgssapi/gss_impl.c')
| -rw-r--r-- | sys/kgssapi/gss_impl.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/sys/kgssapi/gss_impl.c b/sys/kgssapi/gss_impl.c index d27f219..2c5922e 100644 --- a/sys/kgssapi/gss_impl.c +++ b/sys/kgssapi/gss_impl.c @@ -104,10 +104,12 @@ sys_gssd_syscall(struct thread *td, struct gssd_syscall_args *uap) error = copyinstr(uap->path, path, sizeof(path), NULL); if (error) return (error); + if (strlen(path) + 1 > sizeof(sun.sun_path)) + return (EINVAL); if (path[0] != '\0') { sun.sun_family = AF_LOCAL; - strcpy(sun.sun_path, path); + strlcpy(sun.sun_path, path, sizeof(sun.sun_path)); sun.sun_len = SUN_LEN(&sun); nconf = getnetconfigent("local"); |
