Use bcopy instead of strlcpy in uipc_bind and unp_connect, since

soun->sun_path isn't a null-terminated string.  As UNIX(4) states, "the
terminating NUL is not part of the address."  Since strlcpy has to return
"the total length of the string [it] tried to create," it walks off the end
of soun->sun_path looking for a \0.

This reverts r105332.

Reported by:    Ryan Stone

1 files changed, 4 insertions, 2 deletions

diff --git a/sys/kern/uipc_usrreq.c b/sys/kern/uipc_usrreq.c
index f5ac25c..4f7333d 100644
--- a/sys/kern/uipc_usrreq.c
+++ b/sys/kern/uipc_usrreq.c
@@ -416,7 +416,8 @@ uipc_bind(struct socket *so, struct sockaddr *nam, struct thread *td)
 	UNP_PCB_UNLOCK(unp);
 
 	buf = malloc(namelen + 1, M_TEMP, M_WAITOK);
-	strlcpy(buf, soun->sun_path, namelen + 1);
+	bcopy(soun->sun_path, buf, namelen);
+	buf[namelen] = 0;
 
 restart:
 	vfslocked = 0;
@@ -1129,7 +1130,8 @@ unp_connect(struct socket *so, struct sockaddr *nam, struct thread *td)
 	len = nam->sa_len - offsetof(struct sockaddr_un, sun_path);
 	if (len <= 0)
 		return (EINVAL);
-	strlcpy(buf, soun->sun_path, len + 1);
+	bcopy(soun->sun_path, buf, len);
+	buf[len] = 0;
 
 	UNP_PCB_LOCK(unp);
 	if (unp->unp_flags & UNP_CONNECTING) {