kgssapi(4): Don't allow user-provided arguments to overrun stack buffer

An over-long path argument to gssd_syscall could overrun the stack sockaddr_un buffer. Fix gssd_syscall to not permit that. If an over-long path is provided, gssd_syscall now returns EINVAL. It looks like PRIV_NFS_DAEMON isn't granted anywhere, so my best guess is that this is likely only triggerable by root. Reported by: Coverity CID: 1006751 Sponsored by: EMC / Isilon Storage Division
author: cem <cem@FreeBSD.org> 2016-04-20 05:02:13 +0000
committer: cem <cem@FreeBSD.org> 2016-04-20 05:02:13 +0000
commit: 62fb6917238c65fe51b0be78a160203b02921685 (patch)
tree: fe4359b517bf65a46730800e526cdd5c817d0ca7 /sys/kgssapi/gss_impl.c
parent: 3a5e520024b3e85dc738a50fe40da3ef45a6d022 (diff)
download: FreeBSD-src-62fb6917238c65fe51b0be78a160203b02921685.zip
FreeBSD-src-62fb6917238c65fe51b0be78a160203b02921685.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/sys/kgssapi/gss_impl.c b/sys/kgssapi/gss_impl.c
index 38930d7..dcb3c7d 100644
--- a/sys/kgssapi/gss_impl.c
+++ b/sys/kgssapi/gss_impl.c
@@ -104,10 +104,12 @@ sys_gssd_syscall(struct thread *td, struct gssd_syscall_args *uap)
 	error = copyinstr(uap->path, path, sizeof(path), NULL);
 	if (error)
 		return (error);
+	if (strlen(path) + 1 > sizeof(sun.sun_path))
+		return (EINVAL);
 
 	if (path[0] != '\0') {
 		sun.sun_family = AF_LOCAL;
-		strcpy(sun.sun_path, path);
+		strlcpy(sun.sun_path, path, sizeof(sun.sun_path));
 		sun.sun_len = SUN_LEN(&sun);
 		
 		nconf = getnetconfigent("local");
author	cem <cem@FreeBSD.org>	2016-04-20 05:02:13 +0000
committer	cem <cem@FreeBSD.org>	2016-04-20 05:02:13 +0000
commit	62fb6917238c65fe51b0be78a160203b02921685 (patch)
tree	fe4359b517bf65a46730800e526cdd5c817d0ca7 /sys/kgssapi/gss_impl.c
parent	3a5e520024b3e85dc738a50fe40da3ef45a6d022 (diff)
download	FreeBSD-src-62fb6917238c65fe51b0be78a160203b02921685.zip FreeBSD-src-62fb6917238c65fe51b0be78a160203b02921685.tar.gz