getpeername(fd,NULL,NULL) crashes

bug-hurd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

getpeername(fd,NULL,NULL) crashes

From:	Samuel Thibault
Subject:	getpeername(fd,NULL,NULL) crashes
Date:	Thu, 11 Aug 2005 01:42:41 +0200
User-agent:	Mutt/1.5.9i-nntp

Hi,

The implementation of getpeername(fd, addr, len) (in
libc/sysdeps/mach/hurd/getpeername.c) performs addr->sa_family = type;
without checking that *len is big enough, so that getpeername(fd, NULL,
NULL); crashes (while it is a common way to determine whether an fd is a
socket).

Here is some patch:

2005-08-11  Samuel Thibault <samuel.thibault@ens-lyon.org>

        * sysdeps/mach/hurd/getpeername.c (__getpeername): Check length
        of buffer before writing the sa_family member.

Index: sysdeps/mach/hurd/getpeername.c
===================================================================
RCS file: /cvs/glibc/libc/sysdeps/mach/hurd/getpeername.c,v
retrieving revision 1.11
diff -u -p -r1.11 getpeername.c
--- sysdeps/mach/hurd/getpeername.c     6 Jul 2001 04:55:57 -0000       1.11
+++ sysdeps/mach/hurd/getpeername.c     10 Aug 2005 23:36:00 -0000
@@ -54,7 +54,8 @@ __getpeername (int fd, __SOCKADDR_ARG ad
       __vm_deallocate (__mach_task_self (), (vm_address_t) buf, buflen);
     }
 
-  addr->sa_family = type;
+  if (offsetof (typeof (addr->sa_family), sa_family) + sizeof 
(addr->sa_family) >= *len)
+    addr->sa_family = type;
 
   return 0;
 }

[Prev in Thread]

Current Thread

[Next in Thread]

getpeername(fd,NULL,NULL) crashes, Samuel Thibault <=
- Re: getpeername(fd,NULL,NULL) crashes, Samuel Thibault, 2005/08/10

Prev by Date: You've received a greeting card from a friend!
Next by Date: Re: getpeername(fd,NULL,NULL) crashes
Previous by thread: You've received a greeting card from a friend!
Next by thread: Re: getpeername(fd,NULL,NULL) crashes
Index(es):
- Date
- Thread