From 240825654b391ec4881cb7faaeaae4ec983bb980 Mon Sep 17 00:00:00 2001 From: emaste Date: Thu, 3 Jul 2008 23:26:10 +0000 Subject: Use bcopy instead of strlcpy in uipc_bind and unp_connect, since soun->sun_path isn't a null-terminated string. As UNIX(4) states, "the terminating NUL is not part of the address." Since strlcpy has to return "the total length of the string [it] tried to create," it walks off the end of soun->sun_path looking for a \0. This reverts r105332. Reported by: Ryan Stone --- sys/kern/uipc_usrreq.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'sys') diff --git a/sys/kern/uipc_usrreq.c b/sys/kern/uipc_usrreq.c index f5ac25c..4f7333d 100644 --- a/sys/kern/uipc_usrreq.c +++ b/sys/kern/uipc_usrreq.c @@ -416,7 +416,8 @@ uipc_bind(struct socket *so, struct sockaddr *nam, struct thread *td) UNP_PCB_UNLOCK(unp); buf = malloc(namelen + 1, M_TEMP, M_WAITOK); - strlcpy(buf, soun->sun_path, namelen + 1); + bcopy(soun->sun_path, buf, namelen); + buf[namelen] = 0; restart: vfslocked = 0; @@ -1129,7 +1130,8 @@ unp_connect(struct socket *so, struct sockaddr *nam, struct thread *td) len = nam->sa_len - offsetof(struct sockaddr_un, sun_path); if (len <= 0) return (EINVAL); - strlcpy(buf, soun->sun_path, len + 1); + bcopy(soun->sun_path, buf, len); + buf[len] = 0; UNP_PCB_LOCK(unp); if (unp->unp_flags & UNP_CONNECTING) { -- cgit v1.1