From e4e40f72f3cfd29c98f6a450490cdb4caf1bdc68 Mon Sep 17 00:00:00 2001 From: Daniel Colascione Date: Sat, 22 Mar 2014 23:07:54 -0700 Subject: [PATCH] Backport memory fix (2014-03-22T03:04:53Z!dancol@dancol.org) from trunk --- src/ChangeLog | 6 ++++++ src/process.c | 20 ++++++++++++++++---- 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/src/ChangeLog b/src/ChangeLog index 48fc2262e92..e8ae781bf4d 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,3 +1,9 @@ +2014-03-22 Daniel Colascione + + * process.c (conv_sockaddr_to_lisp): When extracting the string + names of AF_LOCAL sockets, stop before reading uninitialized + memory. + 2014-03-23 Daniel Colascione * process.c (DATAGRAM_CONN_P): Don't underflow datagram_address diff --git a/src/process.c b/src/process.c index 6f89408b5ee..fd34eb08d9d 100644 --- a/src/process.c +++ b/src/process.c @@ -2013,10 +2013,22 @@ conv_sockaddr_to_lisp (struct sockaddr *sa, int len) case AF_LOCAL: { struct sockaddr_un *sockun = (struct sockaddr_un *) sa; - for (i = 0; i < sizeof (sockun->sun_path); i++) - if (sockun->sun_path[i] == 0) - break; - return make_unibyte_string (sockun->sun_path, i); + ptrdiff_t name_length = len - offsetof (struct sockaddr_un, sun_path); + /* If the first byte is NUL, the name is a Linux abstract + socket name, and the name can contain embedded NULs. If + it's not, we have a NUL-terminated string. Be careful not + to walk past the end of the object looking for the name + terminator, however. */ + if (name_length > 0 && sockun->sun_path[0] != '\0') + { + const char* terminator = + memchr (sockun->sun_path, '\0', name_length); + + if (terminator) + name_length = terminator - (const char*) sockun->sun_path; + } + + return make_unibyte_string (sockun->sun_path, name_length); } #endif default: -- 2.39.2