Do not read uninitialized memory in conv_sockaddr_to_lisp

43c75c8e · Daniel Colascione · 8266cd88 · ea64063f · 43c75c8e · 43c75c8e
Commit 43c75c8e authored Mar 21, 2014 by Daniel Colascione
Hide whitespace changes
Inline Side-by-side

Showing with 22 additions and 4 deletions

src/ChangeLog src/ChangeLog +6 -0

src/process.c src/process.c +16 -4

No files found.
--- a/src/ChangeLog
+++ b/src/ChangeLog
+2014-03-22  Daniel Colascione  <dancol@dancol.org>
+
+	* process.c (conv_sockaddr_to_lisp): When extracting the string
+	names of AF_LOCAL sockets, stop before reading uninitialized
+	memory.
+
 2014-03-21  YAMAMOTO Mitsuharu  <mituharu@math.s.chiba-u.ac.jp>

 	Fix regression introduced by patch for Bug#10500.

--- a/src/process.c
+++ b/src/process.c
@@ -2010,10 +2010,22 @@ conv_sockaddr_to_lisp (struct sockaddr *sa, int len)
    case AF_LOCAL:
      {
 	struct sockaddr_un *sockun = (struct sockaddr_un *) sa;
-	for (i = 0; i < sizeof (sockun->sun_path); i++)
-	  if (sockun->sun_path[i] == 0)
-	    break;
-	return make_unibyte_string (sockun->sun_path, i);
+        ptrdiff_t name_length = len - offsetof (struct sockaddr_un, sun_path);
+        /* If the first byte is NUL, the name is a Linux abstract
+           socket name, and the name can contain embedded NULs.  If
+           it's not, we have a NUL-terminated string.  Be careful not
+           to walk past the end of the object looking for the name
+           terminator, however.  */
+        if (name_length > 0 && sockun->sun_path[0] != '\0')
+          {
+            const char* terminator =
+              memchr (sockun->sun_path, '\0', name_length);
+
+            if (terminator)
+              name_length = terminator - (const char*) sockun->sun_path;
+          }
+
+	return make_unibyte_string (sockun->sun_path, name_length);
      }
 #endif
    default: