From bec33b23119d9363854a2d0b4f4ca0fe893827aa Mon Sep 17 00:00:00 2001
From: Simon Tatham <anakin@pobox.com>
Date: Tue, 14 Feb 2017 21:59:52 +0000
Subject: [PATCH] Properly check the lengths of Unix-socket pathnames.

If something is too long to fit in a sun_addr, we should spot that
well in advance and not try.
---
 unix/uxagentc.c | 4 ++--
 unix/uxnet.c    | 3 ++-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/unix/uxagentc.c b/unix/uxagentc.c
index 7732a9a1..ffc5879c 100644
--- a/unix/uxagentc.c
+++ b/unix/uxagentc.c
@@ -134,7 +134,7 @@ agent_pending_query *agent_query(
     agent_pending_query *conn;
 
     name = getenv("SSH_AUTH_SOCK");
-    if (!name)
+    if (!name || strlen(name) >= sizeof(addr.sun_path))
 	goto failure;
 
     sock = socket(PF_UNIX, SOCK_STREAM, 0);
@@ -146,7 +146,7 @@ agent_pending_query *agent_query(
     cloexec(sock);
 
     addr.sun_family = AF_UNIX;
-    strncpy(addr.sun_path, name, sizeof(addr.sun_path));
+    strcpy(addr.sun_path, name);
     if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) < 0) {
 	close(sock);
 	goto failure;
diff --git a/unix/uxnet.c b/unix/uxnet.c
index 47490a1e..79f4fbce 100644
--- a/unix/uxnet.c
+++ b/unix/uxnet.c
@@ -1620,7 +1620,8 @@ SockAddr unix_sock_addr(const char *path)
 
     if (n < 0)
 	ret->error = "snprintf failed";
-    else if (n >= sizeof ret->hostname)
+    else if (n >= sizeof ret->hostname ||
+             n >= sizeof(((struct sockaddr_un *)0)->sun_path))
 	ret->error = "socket pathname too long";
 
 #ifndef NO_IPV6