From mboxrd@z Thu Jan 1 00:00:00 1970 From: Thadeu Lima de Souza Cascardo Subject: Re: [patch] Fix handling of overlength pathname in AF_UNIX sun_path Date: Wed, 18 Apr 2012 10:13:18 -0300 Message-ID: <20120418131318.GB2455@oc1711230544.ibm.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: "Carlos O'Donell" , David Miller , mtk.manpages@gmail.com, netdev@vger.kernel.org, penguin-kernel@i-love.sakura.ne.jp, linux-api@vger.kernel.org, yoshfuji@linux-ipv6.org, jengelh@medozas.de, w@1wt.eu, alan@lxorguk.ukuu.org.uk To: David Laight Return-path: Received: from e24smtp02.br.ibm.com ([32.104.18.86]:54215 "EHLO e24smtp02.br.ibm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751382Ab2DRNN2 (ORCPT ); Wed, 18 Apr 2012 09:13:28 -0400 Received: from /spool/local by e24smtp02.br.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Wed, 18 Apr 2012 10:13:26 -0300 Content-Disposition: inline In-Reply-To: Sender: netdev-owner@vger.kernel.org List-ID: On Wed, Apr 18, 2012 at 09:17:26AM +0100, David Laight wrote: > > > > > Why not have: > > > > diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c > > index d510353..f9f77a7 100644 > > --- a/net/unix/af_unix.c > > +++ b/net/unix/af_unix.c > > @@ -216,6 +216,9 @@ static int unix_mkname(struct sockaddr_un > > *sunaddr, int len, unsigned *hashp) > > */ > > ((char *)sunaddr)[len] = 0; > > len = strlen(sunaddr->sun_path)+1+sizeof(short); > > + /* No null terminator was found in the path. */ > > + if (len > sizeof(*sunaddr)) > > + return -EINVAL; > > return len; > > That could generate a kernel page fault! > (Depending on what follows (or rather doesn't follow!) sun_path.) > You'd need to use memchr() not strlen(). > > David > Hi, David. What follows is a 0 byte, because it's set that way in the line before strlen. Note that len is tested for sizeof(*sunaddr), and there is a huge comment about that extra byte that was omitted. The whole function is at net/unix/af_unix.c:203. Regards, Cascardo.