[CRIU] [PATCH 4/4] unix: check that a length of a socket is less than UNIX_PATH_MAX

Andrei Vagin avagin at virtuozzo.com
Thu Jul 12 23:41:45 MSK 2018


CID 190774 (#1 of 1): Out-of-bounds access (OVERRUN)
5. overrun-buffer-arg: Overrunning array addr.sun_path of 108 bytes by
passing it to a function which accesses it at byte offset 4094 using
argument ui->ue->name.len (which evaluates to 4095).

Signed-off-by: Andrei Vagin <avagin at virtuozzo.com>
---
 criu/sk-unix.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/criu/sk-unix.c b/criu/sk-unix.c
index cfe0fa18b..cedbd2f88 100644
--- a/criu/sk-unix.c
+++ b/criu/sk-unix.c
@@ -1408,7 +1408,7 @@ static int bind_on_deleted(int sk, struct unix_sk_info *ui)
 	bool renamed = false;
 	int ret;
 
-	if (ui->ue->name.len >= sizeof(path)) {
+	if (ui->ue->name.len >= sizeof(UNIX_PATH_MAX)) {
 		pr_err("ghost: Too long name for socket id %#x ino %d name %s\n",
 		       ui->ue->id, ui->ue->ino, ui->name);
 		return -ENOSPC;
-- 
2.14.3



More information about the CRIU mailing list