Backport memory fix (2014-03-22T03:04:53Z!dancol@dancol.org) from trunk

diff --git a/src/ChangeLog b/src/ChangeLog
index 48fc2262e924cae8a77610e5169f1453e5142195..e8ae781bf4d17d4b99cf49c0391d815bffe9d04d 100644 (file)
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,9 @@
+2014-03-22  Daniel Colascione  <dancol@dancol.org>
+
+       * process.c (conv_sockaddr_to_lisp): When extracting the string
+       names of AF_LOCAL sockets, stop before reading uninitialized
+       memory.
+
 2014-03-23  Daniel Colascione  <dancol@dancol.org>
 
        * process.c (DATAGRAM_CONN_P): Don't underflow datagram_address

diff --git a/src/process.c b/src/process.c
index 6f89408b5ee278c081dce71b9820c3ca1b868ef7..fd34eb08d9d583962d7dd36a1ff47969d3081f09 100644 (file)
--- a/src/process.c
+++ b/src/process.c
@@ -2013,10 +2013,22 @@ conv_sockaddr_to_lisp (struct sockaddr *sa, int len)
     case AF_LOCAL:
       {
        struct sockaddr_un *sockun = (struct sockaddr_un *) sa;
-       for (i = 0; i < sizeof (sockun->sun_path); i++)
-         if (sockun->sun_path[i] == 0)
-           break;
-       return make_unibyte_string (sockun->sun_path, i);
+        ptrdiff_t name_length = len - offsetof (struct sockaddr_un, sun_path);
+        /* If the first byte is NUL, the name is a Linux abstract
+           socket name, and the name can contain embedded NULs.  If
+           it's not, we have a NUL-terminated string.  Be careful not
+           to walk past the end of the object looking for the name
+           terminator, however.  */
+        if (name_length > 0 && sockun->sun_path[0] != '\0')
+          {
+            const char* terminator =
+              memchr (sockun->sun_path, '\0', name_length);
+
+            if (terminator)
+              name_length = terminator - (const char*) sockun->sun_path;
+          }
+
+       return make_unibyte_string (sockun->sun_path, name_length);
       }
 #endif
     default: