From 188fc1cf6ee9905e765c62f5190caf9b95e4f77b Mon Sep 17 00:00:00 2001
From: Corinna Vinschen <corinna@vinschen.de>
Date: Mon, 4 Feb 2013 12:04:20 +0000
Subject: 	* fhandler_socket.cc (fhandler_socket::bind): Fix length check
 of 	AF_LOCAL filename so it never accesses memory beyond namelen.  Also 
 make sure filename is NUL-terminated.

---
 winsup/cygwin/fhandler_socket.cc | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

(limited to 'winsup/cygwin/fhandler_socket.cc')

diff --git a/winsup/cygwin/fhandler_socket.cc b/winsup/cygwin/fhandler_socket.cc
index 6625eef05..6f13e51ce 100644
--- a/winsup/cygwin/fhandler_socket.cc
+++ b/winsup/cygwin/fhandler_socket.cc
@@ -900,17 +900,19 @@ fhandler_socket::bind (const struct sockaddr *name, int namelen)
     {
 #define un_addr ((struct sockaddr_un *) name)
       struct sockaddr_in sin;
-      int len = sizeof sin;
+      int len = namelen - offsetof (struct sockaddr_un, sun_path);
 
-      if (strlen (un_addr->sun_path) >= UNIX_PATH_LEN)
+      /* Check that name is within bounds and NUL-terminated. */
+      if (len <= 1 || len > UNIX_PATH_LEN
+	  || !memchr (un_addr->sun_path, '\0', len))
 	{
-	  set_errno (ENAMETOOLONG);
+	  set_errno (len < 1 ? EINVAL : ENAMETOOLONG);
 	  goto out;
 	}
       sin.sin_family = AF_INET;
       sin.sin_port = 0;
       sin.sin_addr.s_addr = htonl (INADDR_LOOPBACK);
-      if (::bind (get_socket (), (sockaddr *) &sin, len))
+      if (::bind (get_socket (), (sockaddr *) &sin, len = sizeof sin))
 	{
 	  syscall_printf ("AF_LOCAL: bind failed");
 	  set_winsock_errno ();
-- 
cgit v1.2.3