45 lines
1.4 KiB
Diff
45 lines
1.4 KiB
Diff
From f545ad4928fa1f27a3075265182b38a4f939a5f7 Mon Sep 17 00:00:00 2001
|
|
From: Florian Weimer <fweimer@redhat.com>
|
|
Date: Mon, 17 Jan 2022 10:21:34 +0100
|
|
Subject: [PATCH] CVE-2022-23218: Buffer overflow in sunrpc svcunix_create (bug
|
|
28768)
|
|
|
|
The sunrpc function svcunix_create suffers from a stack-based buffer
|
|
overflow with overlong pathname arguments.
|
|
|
|
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
|
|
---
|
|
sunrpc/svc_unix.c | 11 ++++-------
|
|
1 files changed, 4 insertions(+), 7 deletions(-)
|
|
create mode 100644 sunrpc/svc_unix.c
|
|
|
|
diff --git a/sunrpc/svc_unix.c b/sunrpc/svc_unix.c
|
|
index f2280b4..67177a2 100644
|
|
--- a/sunrpc/svc_unix.c
|
|
+++ b/sunrpc/svc_unix.c
|
|
@@ -154,7 +154,10 @@ svcunix_create (int sock, u_int sendsize, u_int recvsize, char *path)
|
|
SVCXPRT *xprt;
|
|
struct unix_rendezvous *r;
|
|
struct sockaddr_un addr;
|
|
- socklen_t len = sizeof (struct sockaddr_in);
|
|
+ socklen_t len = sizeof (addr);
|
|
+
|
|
+ if (__sockaddr_un_set (&addr, path) < 0)
|
|
+ return NULL;
|
|
|
|
if (sock == RPC_ANYSOCK)
|
|
{
|
|
@@ -165,12 +168,6 @@ svcunix_create (int sock, u_int sendsize, u_int recvsize, char *path)
|
|
}
|
|
madesock = TRUE;
|
|
}
|
|
- memset (&addr, '\0', sizeof (addr));
|
|
- addr.sun_family = AF_UNIX;
|
|
- len = strlen (path) + 1;
|
|
- memcpy (addr.sun_path, path, len);
|
|
- len += sizeof (addr.sun_family);
|
|
-
|
|
__bind (sock, (struct sockaddr *) &addr, len);
|
|
|
|
if (__getsockname (sock, (struct sockaddr *) &addr, &len) != 0
|