aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorColin Percival <cperciva@FreeBSD.org>2011-10-04 19:07:38 +0000
committerColin Percival <cperciva@FreeBSD.org>2011-10-04 19:07:38 +0000
commit7f3836953fe55f9a187459618933cb8ee0defe9e (patch)
treef79e06fe09a116a5da4e6b7300c3d7b5e622215f
parent06b13deee0aa97e88116949eff30f8e62125dc17 (diff)
downloadsrc-7f3836953fe55f9a187459618933cb8ee0defe9e.tar.gz
src-7f3836953fe55f9a187459618933cb8ee0defe9e.zip
Fix a bug in UNIX socket handling in the linux emulator which was
exposed by the security fix in FreeBSD-SA-11:05.unix. Approved by: so (cperciva) Approved by: re (kib) Security: Related to FreeBSD-SA-11:05.unix, but not actually a security fix.
Notes
Notes: svn path=/releng/8.1/; revision=226023
-rw-r--r--UPDATING4
-rw-r--r--sys/compat/linux/linux_socket.c15
-rw-r--r--sys/conf/newvers.sh2
3 files changed, 20 insertions, 1 deletions
diff --git a/UPDATING b/UPDATING
index 2dc903082845..4d8504f14744 100644
--- a/UPDATING
+++ b/UPDATING
@@ -15,6 +15,10 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8.x IS SLOW ON IA64 OR SUN4V:
debugging tools present in HEAD were left in place because
sun4v support still needs work to become production ready.
+20111004: p6 FreeBSD-SA-11:05.unix (revised)
+ Fix a bug in UNIX socket handling in the linux emulator which was
+ exposed by the security fix in FreeBSD-SA-11:05.unix.
+
20110928: p5 FreeBSD-SA-11:04.compress, FreeBSD-SA-11:05.unix
Fix handling of corrupt compress(1)ed data. [11:04]
diff --git a/sys/compat/linux/linux_socket.c b/sys/compat/linux/linux_socket.c
index d94d9263f8ea..9155db237cbf 100644
--- a/sys/compat/linux/linux_socket.c
+++ b/sys/compat/linux/linux_socket.c
@@ -103,6 +103,7 @@ do_sa_get(struct sockaddr **sap, const struct osockaddr *osa, int *osalen,
int oldv6size;
struct sockaddr_in6 *sin6;
#endif
+ int namelen;
if (*osalen < 2 || *osalen > UCHAR_MAX || !osa)
return (EINVAL);
@@ -165,6 +166,20 @@ do_sa_get(struct sockaddr **sap, const struct osockaddr *osa, int *osalen,
}
}
+ if ((bdom == AF_LOCAL) && (*osalen > sizeof(struct sockaddr_un))) {
+ for (namelen = 0;
+ namelen < *osalen - offsetof(struct sockaddr_un, sun_path);
+ namelen++)
+ if (!((struct sockaddr_un *)kosa)->sun_path[namelen])
+ break;
+ if (namelen + offsetof(struct sockaddr_un, sun_path) >
+ sizeof(struct sockaddr_un)) {
+ error = EINVAL;
+ goto out;
+ }
+ alloclen = sizeof(struct sockaddr_un);
+ }
+
sa = (struct sockaddr *) kosa;
sa->sa_family = bdom;
sa->sa_len = alloclen;
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index df32888512a6..fc406f69c662 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="8.1"
-BRANCH="RELEASE-p5"
+BRANCH="RELEASE-p6"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi