Properly check the lengths of Unix-socket pathnames.

If something is too long to fit in a sun_addr, we should spot that well in advance and not try.
2025-01-10 01:48:00 +00:00 · 2017-02-14 21:59:52 +00:00 · 2017-02-14 21:59:52 +00:00 · bec33b2311
commit bec33b2311
parent a146ab2e7a
2 changed files with 4 additions and 3 deletions
--- a/unix/uxagentc.c
+++ b/unix/uxagentc.c
@ -134,7 +134,7 @@ agent_pending_query *agent_query(
    agent_pending_query *conn;

    name = getenv("SSH_AUTH_SOCK");
-    if (!name)
+    if (!name || strlen(name) >= sizeof(addr.sun_path))
 	goto failure;

    sock = socket(PF_UNIX, SOCK_STREAM, 0);
@ -146,7 +146,7 @@ agent_pending_query *agent_query(
    cloexec(sock);

    addr.sun_family = AF_UNIX;
-    strncpy(addr.sun_path, name, sizeof(addr.sun_path));
+    strcpy(addr.sun_path, name);
    if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) < 0) {
 	close(sock);
 	goto failure;
--- a/unix/uxnet.c
+++ b/unix/uxnet.c
@ -1620,7 +1620,8 @@ SockAddr unix_sock_addr(const char *path)

    if (n < 0)
 	ret->error = "snprintf failed";
-    else if (n >= sizeof ret->hostname)
+    else if (n >= sizeof ret->hostname ||
+             n >= sizeof(((struct sockaddr_un *)0)->sun_path))
 	ret->error = "socket pathname too long";

 #ifndef NO_IPV6