[CRIU] [PATCH 4/4] unix: check that a length of a socket is less than UNIX_PATH_MAX
Andrei Vagin
avagin at virtuozzo.com
Thu Jul 12 23:41:45 MSK 2018
CID 190774 (#1 of 1): Out-of-bounds access (OVERRUN)
5. overrun-buffer-arg: Overrunning array addr.sun_path of 108 bytes by
passing it to a function which accesses it at byte offset 4094 using
argument ui->ue->name.len (which evaluates to 4095).
Signed-off-by: Andrei Vagin <avagin at virtuozzo.com>
---
criu/sk-unix.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/criu/sk-unix.c b/criu/sk-unix.c
index cfe0fa18b..cedbd2f88 100644
--- a/criu/sk-unix.c
+++ b/criu/sk-unix.c
@@ -1408,7 +1408,7 @@ static int bind_on_deleted(int sk, struct unix_sk_info *ui)
bool renamed = false;
int ret;
- if (ui->ue->name.len >= sizeof(path)) {
+ if (ui->ue->name.len >= sizeof(UNIX_PATH_MAX)) {
pr_err("ghost: Too long name for socket id %#x ino %d name %s\n",
ui->ue->id, ui->ue->ino, ui->name);
return -ENOSPC;
--
2.14.3
More information about the CRIU
mailing list