From stas@grumbler.org  Fri Oct 26 04:23:44 2001
Return-Path: <stas@grumbler.org>
Received: from grumbler.org (g.ural.org [217.106.61.2])
	by hub.freebsd.org (Postfix) with ESMTP id 0F76C37B401
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 26 Oct 2001 04:23:22 -0700 (PDT)
Received: (from stas@localhost)
	by grumbler.org 
	for ;
	Fri, 26 Oct 2001 17:03:13 +0600 (YEKST)
	(envelope-from stas)
Message-Id: <200110261103.RAA06245@grumbler.org>
Date: Fri, 26 Oct 2001 17:03:13 +0600 (YEKST)
From: stas@grumbler.org
Reply-To: g@ural.org
To: FreeBSD-gnats-submit@freebsd.org
Subject: Risk of buffer overflow in struct sockaddr_un
X-Send-Pr-Version: 3.2

>Number:         31507
>Category:       bin
>Synopsis:       Risk of buffer overflow in struct sockaddr_un
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Oct 26 04:30:01 PDT 2001
>Closed-Date:    Fri Oct 26 08:18:34 PDT 2001
>Last-Modified:  Fri Oct 26 08:20:00 PDT 2001
>Originator:     Stas Degteff
>Release:        FreeBSD 4.1-RELEASE i386
>Organization:
>Environment:

	FreeBSD 4.* (4.0-STABLE, 4.0-CURRENT & previous version)

>Description:

	In the sys/un.h sockaddr_un declared as:

/*
 * Definitions for UNIX IPC domain.
 */
struct sockaddr_un {
	u_char	sun_len;		/* sockaddr len including null */
	u_char	sun_family;		/* AF_UNIX */
	char	sun_path[104];		/* path name (gag) */
};

In array size present numerical constant vith value very less than the PATH_MAX
constant.

>How-To-Repeat:
>Fix:

Apply this path #ifdef MAX_SUN_PATHd.org/pub/FreeBSD/branches/-current/src/sys/sys/un.h:

--- un.h.orig	Fri Oct 26 16:17:01 2001
+++ un.h	Fri Oct 26 16:17:01 2001
@@ -38,4 +38,5 @@
 #define _SYS_UN_H_
 
+#define MAX_SUN_PATH 104
 /*
  * Definitions for UNIX IPC domain.
@@ -44,5 +45,5 @	
 	u_char	sun_len;		/* sockaddr len including null */
 	u_char	sun_family;		/* AF_UNIX */
-	char	sun_path[104];		/* path name (gag) */
+	char	sun_path[MAX_SUN_PATH];		/* path name (gag) */
 };
 


	There programmer may use folowing code:

struct sockaddr_un server;
#ifdef MAX_SUN_PATH
	strncpy(server.sun_path, file_fifo, MAX_SUN_PATH);
#else
	strncpy(server.sun_path, file_fifo, 104); /* or other platform-depended value */
#endif



>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: wollman 
State-Changed-When: Fri Oct 26 08:18:34 PDT 2001 
State-Changed-Why:  
Clients of this interface are expected to use the sizeof operator. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=31507 

From: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
To: g@ural.org
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: bin/31507: Risk of buffer overflow in struct sockaddr_un
Date: Fri, 26 Oct 2001 11:18:04 -0400 (EDT)

 <<On Fri, 26 Oct 2001 17:03:13 +0600 (YEKST), stas@grumbler.org said:
 
 > 	There programmer may use folowing code:
 
 > struct sockaddr_un server;
 > #ifdef MAX_SUN_PATH
 > 	strncpy(server.sun_path, file_fifo, MAX_SUN_PATH);
 > #else
 > 	strncpy(server.sun_path, file_fifo, 104); /* or other platform-depended value */
 > #endif
 
 No, the correct code would ALWAYS be:
 
 	strncpy(server.sun_path, file_fifo, sizeof server.sun_path);
 
 POSIX says:
 
 # Applications should not assume a particular length for sun_path or
 # assume that it can hold {_POSIX_PATH_MAX} characters (255).
 
 -GAWollman
 
>Unformatted:
