Date: Wed, 20 Apr 2016 05:02:13 +0000 (UTC) From: "Conrad E. Meyer" <cem@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r298338 - head/sys/kgssapi Message-ID: <201604200502.u3K52Dx8094782@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: cem Date: Wed Apr 20 05:02:13 2016 New Revision: 298338 URL: https://svnweb.freebsd.org/changeset/base/298338 Log: kgssapi(4): Don't allow user-provided arguments to overrun stack buffer An over-long path argument to gssd_syscall could overrun the stack sockaddr_un buffer. Fix gssd_syscall to not permit that. If an over-long path is provided, gssd_syscall now returns EINVAL. It looks like PRIV_NFS_DAEMON isn't granted anywhere, so my best guess is that this is likely only triggerable by root. Reported by: Coverity CID: 1006751 Sponsored by: EMC / Isilon Storage Division Modified: head/sys/kgssapi/gss_impl.c Modified: head/sys/kgssapi/gss_impl.c ============================================================================== --- head/sys/kgssapi/gss_impl.c Wed Apr 20 04:50:33 2016 (r298337) +++ head/sys/kgssapi/gss_impl.c Wed Apr 20 05:02:13 2016 (r298338) @@ -104,10 +104,12 @@ sys_gssd_syscall(struct thread *td, stru error = copyinstr(uap->path, path, sizeof(path), NULL); if (error) return (error); + if (strlen(path) + 1 > sizeof(sun.sun_path)) + return (EINVAL); if (path[0] != '\0') { sun.sun_family = AF_LOCAL; - strcpy(sun.sun_path, path); + strlcpy(sun.sun_path, path, sizeof(sun.sun_path)); sun.sun_len = SUN_LEN(&sun); nconf = getnetconfigent("local");
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201604200502.u3K52Dx8094782>