[4/4] unix: check that a length of a socket is less than UNIX_PATH_MAX

Submitted by Andrey Vagin on July 12, 2018, 8:41 p.m.

Details

Message ID 20180712204145.6494-4-avagin@virtuozzo.com
State Accepted
Series "Series without cover letter"
Headers show

Commit Message

Andrey Vagin July 12, 2018, 8:41 p.m.
CID 190774 (#1 of 1): Out-of-bounds access (OVERRUN)
5. overrun-buffer-arg: Overrunning array addr.sun_path of 108 bytes by
passing it to a function which accesses it at byte offset 4094 using
argument ui->ue->name.len (which evaluates to 4095).

Signed-off-by: Andrei Vagin <avagin@virtuozzo.com>
---
 criu/sk-unix.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Patch hide | download patch | download mbox

diff --git a/criu/sk-unix.c b/criu/sk-unix.c
index cfe0fa18b..cedbd2f88 100644
--- a/criu/sk-unix.c
+++ b/criu/sk-unix.c
@@ -1408,7 +1408,7 @@  static int bind_on_deleted(int sk, struct unix_sk_info *ui)
 	bool renamed = false;
 	int ret;
 
-	if (ui->ue->name.len >= sizeof(path)) {
+	if (ui->ue->name.len >= sizeof(UNIX_PATH_MAX)) {
 		pr_err("ghost: Too long name for socket id %#x ino %d name %s\n",
 		       ui->ue->id, ui->ue->ino, ui->name);
 		return -ENOSPC;