From 984ce6f4e3cead6fb9457d7539a80521b518b8d7 Mon Sep 17 00:00:00 2001 From: delphij Date: Thu, 15 Jun 2017 04:37:23 +0000 Subject: [PATCH] MFC r319852: Fix buffer lengths. After r319369, the RPC code validates caller supplied buffer length in taddr2uaddr. When no -h is specified, the sizeof(ai_addr) is used, which is always smaller than the required size and therefore uaddr would be NULL, causing the kernel to copyin() from userland NULL and fail with EFAULT. git-svn-id: svn://svn.freebsd.org/base/stable/10@319966 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f --- usr.sbin/rpc.lockd/lockd.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/usr.sbin/rpc.lockd/lockd.c b/usr.sbin/rpc.lockd/lockd.c index 72a5e257d..08f061a7c 100644 --- a/usr.sbin/rpc.lockd/lockd.c +++ b/usr.sbin/rpc.lockd/lockd.c @@ -906,8 +906,7 @@ lookup_addresses(struct netconfig *nconf) sin->sin_port = htons(0); sin->sin_addr.s_addr = htonl(INADDR_ANY); res->ai_addr = (struct sockaddr*) sin; - res->ai_addrlen = (socklen_t) - sizeof(res->ai_addr); + res->ai_addrlen = sizeof(struct sockaddr_in); break; case AF_INET6: sin6 = malloc(sizeof(struct sockaddr_in6)); @@ -917,7 +916,7 @@ lookup_addresses(struct netconfig *nconf) sin6->sin6_port = htons(0); sin6->sin6_addr = in6addr_any; res->ai_addr = (struct sockaddr*) sin6; - res->ai_addrlen = (socklen_t) sizeof(res->ai_addr); + res->ai_addrlen = sizeof(struct sockaddr_in6); break; default: break; @@ -942,7 +941,7 @@ lookup_addresses(struct netconfig *nconf) } } - servaddr.len = servaddr.maxlen = res->ai_addr->sa_len; + servaddr.len = servaddr.maxlen = res->ai_addrlen; servaddr.buf = res->ai_addr; uaddr = taddr2uaddr(nconf, &servaddr); -- 2.45.0