[ovs-dev] [PATCH] socket-util-unix: Avoid buffer read overrun in get_unix_name_len().
Ben Pfaff
blp at ovn.org
Thu Sep 15 03:39:03 UTC 2016
If the socket length does not include any of the bytes of the path, then
the code should not read even the first byte of the path.
Found by valgrind.
CC: Thadeu Lima de Souza Cascardo <cascardo at redhat.com>
Reported-by: Joe Stringer <joe at ovn.org>
Signed-off-by: Ben Pfaff <blp at ovn.org>
---
lib/socket-util-unix.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/socket-util-unix.c b/lib/socket-util-unix.c
index 5d4b88c..59f63fc 100644
--- a/lib/socket-util-unix.c
+++ b/lib/socket-util-unix.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2014 Nicira, Inc.
+ * Copyright (c) 2014, 2016 Nicira, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -389,7 +389,7 @@ error:
int
get_unix_name_len(const struct sockaddr_un *sun, socklen_t sun_len)
{
- return (sun_len >= offsetof(struct sockaddr_un, sun_path) &&
+ return (sun_len > offsetof(struct sockaddr_un, sun_path) &&
sun->sun_path[0] != 0
? sun_len - offsetof(struct sockaddr_un, sun_path)
: 0);
--
2.1.3
More information about the dev
mailing list