unix: check that a length of a socket is less than UNIX_PATH_MAX

CID 190774 (#1 of 1): Out-of-bounds access (OVERRUN) 5. overrun-buffer-arg: Overrunning array addr.sun_path of 108 bytes by passing it to a function which accesses it at byte offset 4094 using argument ui->ue->name.len (which evaluates to 4095). Signed-off-by: Andrei Vagin <avagin@virtuozzo.com>

unix: check that a length of a socket is less than UNIX_PATH_MAX
CID 190774 (#1 of 1): Out-of-bounds access (OVERRUN) 5. overrun-buffer-arg: Overrunning array addr.sun_path of 108 bytes by passing it to a function which accesses it at byte offset 4094 using argument ui->ue->name.len (which evaluates to 4095). Signed-off-by: Andrei Vagin <avagin@virtuozzo.com>
682610a9 · Andrei Vagin · Andrei Vagin · 80d2c215 · 682610a9
Commit 682610a9 authored Jul 12, 2018 by Andrei Vagin Committed by Andrei Vagin Oct 30, 2018
Show whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

sk-unix.c criu/sk-unix.c +1 -1

No files found.
--- a/criu/sk-unix.c
+++ b/criu/sk-unix.c
@@ -1408,7 +1408,7 @@ static int bind_on_deleted(int sk, struct unix_sk_info *ui)
 	bool renamed = false;
 	int ret;

-	if (ui->ue->name.len >= sizeof(path)) {
+	if (ui->ue->name.len >= sizeof(UNIX_PATH_MAX)) {
 		pr_err("ghost: Too long name for socket id %#x ino %d name %s\n",
 		       ui->ue->id, ui->ue->ino, ui->name);
 		return -ENOSPC;