From edb0d4563c2e808a1c7d9101b2c05087ffb3b279 Mon Sep 17 00:00:00 2001 From: Benoît Ganne Date: Tue, 12 Oct 2021 10:14:30 +0200 Subject: ip: fix punt socket overflow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit client_pathname is usually smaller than pc->caddr.sun_path. snprint() ensures we stop at the NULL character or sizeof(sun_path) whichever comes 1st. It also guarantees NULL character termination. Type: fix Change-Id: I9fc2a706beab931d50d32d03f7fafca7c6c2fb0b Signed-off-by: Benoît Ganne --- src/vnet/ip/punt.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'src/vnet/ip/punt.c') diff --git a/src/vnet/ip/punt.c b/src/vnet/ip/punt.c index eb191da1394..10deb2e8849 100644 --- a/src/vnet/ip/punt.c +++ b/src/vnet/ip/punt.c @@ -165,7 +165,8 @@ punt_socket_register_l4 (vlib_main_t * vm, punt_client_l4_db_add (af, port, c - pm->punt_client_pool); } - memcpy (c->caddr.sun_path, client_pathname, sizeof (c->caddr.sun_path)); + snprintf (c->caddr.sun_path, sizeof (c->caddr.sun_path), "%s", + client_pathname); c->caddr.sun_family = AF_UNIX; c->reg.type = PUNT_TYPE_L4; c->reg.punt.l4.port = port; @@ -197,7 +198,8 @@ punt_socket_register_ip_proto (vlib_main_t * vm, punt_client_ip_proto_db_add (af, proto, c - pm->punt_client_pool); } - memcpy (c->caddr.sun_path, client_pathname, sizeof (c->caddr.sun_path)); + snprintf (c->caddr.sun_path, sizeof (c->caddr.sun_path), "%s", + client_pathname); c->caddr.sun_family = AF_UNIX; c->reg.type = PUNT_TYPE_IP_PROTO; c->reg.punt.ip_proto.protocol = proto; @@ -227,7 +229,8 @@ punt_socket_register_exception (vlib_main_t * vm, punt_client_exception_db_add (reason, pc - pm->punt_client_pool); } - memcpy (pc->caddr.sun_path, client_pathname, sizeof (pc->caddr.sun_path)); + snprintf (pc->caddr.sun_path, sizeof (pc->caddr.sun_path), "%s", + client_pathname); pc->caddr.sun_family = AF_UNIX; pc->reg.type = PUNT_TYPE_EXCEPTION; pc->reg.punt.exception.reason = reason; -- cgit 1.2.3-korg