Author: delphij Date: Mon Jun 12 09:11:31 2017 New Revision: 319852 URL: https://svnweb.freebsd.org/changeset/base/319852
Log: Fix buffer lengths. After r319369, the RPC code validates caller supplied buffer length in taddr2uaddr. When no -h is specified, the sizeof(ai_addr) is used, which is always smaller than the required size and therefore uaddr would be NULL, causing the kernel to copyin() from userland NULL and fail with EFAULT. Reviewed by: kevlo (via Telegram) MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D11151 Modified: head/usr.sbin/rpc.lockd/lockd.c Modified: head/usr.sbin/rpc.lockd/lockd.c ============================================================================== --- head/usr.sbin/rpc.lockd/lockd.c Mon Jun 12 07:48:51 2017 (r319851) +++ head/usr.sbin/rpc.lockd/lockd.c Mon Jun 12 09:11:31 2017 (r319852) @@ -902,8 +902,7 @@ lookup_addresses(struct netconfig *nconf) sin->sin_port = htons(0); sin->sin_addr.s_addr = htonl(INADDR_ANY); res->ai_addr = (struct sockaddr*) sin; - res->ai_addrlen = (socklen_t) - sizeof(res->ai_addr); + res->ai_addrlen = sizeof(struct sockaddr_in); break; case AF_INET6: sin6 = malloc(sizeof(struct sockaddr_in6)); @@ -913,7 +912,7 @@ lookup_addresses(struct netconfig *nconf) sin6->sin6_port = htons(0); sin6->sin6_addr = in6addr_any; res->ai_addr = (struct sockaddr*) sin6; - res->ai_addrlen = (socklen_t) sizeof(res->ai_addr); + res->ai_addrlen = sizeof(struct sockaddr_in6); break; default: break; @@ -938,7 +937,7 @@ lookup_addresses(struct netconfig *nconf) } } - servaddr.len = servaddr.maxlen = res->ai_addr->sa_len; + servaddr.len = servaddr.maxlen = res->ai_addrlen; servaddr.buf = res->ai_addr; uaddr = taddr2uaddr(nconf, &servaddr); _______________________________________________ svn-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
