From 63defefaebb43a4a78e4e662ef9b954726e4b5ca Mon Sep 17 00:00:00 2001 From: cperciva Date: Tue, 4 Oct 2011 19:07:38 +0000 Subject: [PATCH] Fix a bug in UNIX socket handling in the linux emulator which was exposed by the security fix in FreeBSD-SA-11:05.unix. Approved by: so (cperciva) Approved by: re (kib) Security: Related to FreeBSD-SA-11:05.unix, but not actually a security fix. git-svn-id: svn://svn.freebsd.org/base/releng/8.2@226023 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f --- UPDATING | 4 ++++ sys/compat/linux/linux_socket.c | 15 +++++++++++++++ sys/conf/newvers.sh | 2 +- 3 files changed, 20 insertions(+), 1 deletion(-) diff --git a/UPDATING b/UPDATING index 4ea959f0..6b09f9b5 100644 --- a/UPDATING +++ b/UPDATING @@ -15,6 +15,10 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8.x IS SLOW ON IA64 OR SUN4V: debugging tools present in HEAD were left in place because sun4v support still needs work to become production ready. +20111004: p4 FreeBSD-SA-11:05.unix (revised) + Fix a bug in UNIX socket handling in the linux emulator which was + exposed by the security fix in FreeBSD-SA-11:05.unix. + 20110928: p3 FreeBSD-SA-11:04.compress, FreeBSD-SA-11:05.unix Fix handling of corrupt compress(1)ed data. [11:04] diff --git a/sys/compat/linux/linux_socket.c b/sys/compat/linux/linux_socket.c index d94d9263..9155db23 100644 --- a/sys/compat/linux/linux_socket.c +++ b/sys/compat/linux/linux_socket.c @@ -103,6 +103,7 @@ do_sa_get(struct sockaddr **sap, const struct osockaddr *osa, int *osalen, int oldv6size; struct sockaddr_in6 *sin6; #endif + int namelen; if (*osalen < 2 || *osalen > UCHAR_MAX || !osa) return (EINVAL); @@ -165,6 +166,20 @@ do_sa_get(struct sockaddr **sap, const struct osockaddr *osa, int *osalen, } } + if ((bdom == AF_LOCAL) && (*osalen > sizeof(struct sockaddr_un))) { + for (namelen = 0; + namelen < *osalen - offsetof(struct sockaddr_un, sun_path); + namelen++) + if (!((struct sockaddr_un *)kosa)->sun_path[namelen]) + break; + if (namelen + offsetof(struct sockaddr_un, sun_path) > + sizeof(struct sockaddr_un)) { + error = EINVAL; + goto out; + } + alloclen = sizeof(struct sockaddr_un); + } + sa = (struct sockaddr *) kosa; sa->sa_family = bdom; sa->sa_len = alloclen; diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh index 178eaee7..c48d1822 100644 --- a/sys/conf/newvers.sh +++ b/sys/conf/newvers.sh @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="8.2" -BRANCH="RELEASE-p3" +BRANCH="RELEASE-p4" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi -- 2.42.0