This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
[PATCH] mach/hurd getpeername(fd,NULL,&len) crashes even if len==0
- From: Samuel Thibault <samuel dot thibault at ens-lyon dot org>
- To: libc-alpha at sources dot redhat dot com
- Date: Thu, 11 Aug 2005 03:13:48 +0200
- Subject: [PATCH] mach/hurd getpeername(fd,NULL,&len) crashes even if len==0
Hi,
The implementation of getpeername(fd, addr, len) (in
libc/sysdeps/mach/hurd/getpeername.c) performs addr->sa_family = type;
without checking that *len is big enough, so that socklen_t len = 0;
getpeername(fd, NULL, &len); crashes (while it is a common way to
determine whether an fd is a socket).
Here is some patch:
2005-08-11 Samuel Thibault <samuel.thibault@ens-lyon.org>
* sysdeps/mach/hurd/getpeername.c (__getpeername): Check length
of buffer before writing the sa_family member.
Index: sysdeps/mach/hurd/getpeername.c
===================================================================
RCS file: /cvs/glibc/libc/sysdeps/mach/hurd/getpeername.c,v
retrieving revision 1.11
diff -u -p -r1.11 getpeername.c
--- sysdeps/mach/hurd/getpeername.c 6 Jul 2001 04:55:57 -0000 1.11
+++ sysdeps/mach/hurd/getpeername.c 11 Aug 2005 01:01:55 -0000
@@ -19,6 +19,7 @@
#include <errno.h>
#include <string.h>
#include <sys/socket.h>
+#include <stddef.h>
#include <hurd.h>
#include <hurd/fd.h>
@@ -35,6 +36,7 @@ __getpeername (int fd, __SOCKADDR_ARG ad
struct sockaddr *addr = addrarg.__sockaddr__;
char *buf = (char *) addr;
addr_port_t aport;
+ socklen_t typelen;
if (err = HURD_DPORT_USE (fd, __socket_peername (port, &aport)))
return __hurd_dfail (fd, err);
@@ -54,7 +56,13 @@ __getpeername (int fd, __SOCKADDR_ARG ad
__vm_deallocate (__mach_task_self (), (vm_address_t) buf, buflen);
}
- addr->sa_family = type;
+ if ((typelen = *len - offsetof (__typeof(*addr), sa_family)) > 0)
+ {
+ __typeof (addr->sa_family) _type = type;
+ if (typelen > sizeof(_type))
+ typelen = sizeof(_type);
+ memcpy (&addr->sa_family, &_type, typelen);
+ }
return 0;
}