diff options
author | ERAMOTO Masaya <eramoto.masaya@jp.fujitsu.com> | 2017-10-04 15:23:03 +0900 |
---|---|---|
committer | Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | 2017-10-05 16:40:00 +0300 |
commit | 9e997ed2f528ff50e7394b33447a91937e939cf3 (patch) | |
tree | 94c6eefe56257e25c6fa5510b2968451c2edf6eb /monitor/control.c | |
parent | 42a83dbb0cfe4d9e1613a02dbe69eec242ee0aff (diff) | |
download | bluez-9e997ed2f528ff50e7394b33447a91937e939cf3.tar.gz |
monitor: Fix buffer overflow with unix socket
If btmon uses a unix socket, which has a long pathname, then the
buffer overflow occurs as below:
*** strcpy_chk: buffer overflow detected ***: program terminated
at 0x4C3085C: ??? (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x4C34E46: __strcpy_chk (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x4084FE: strcpy (string3.h:110)
by 0x4084FE: control_server (control.c:1148)
by 0x4029E9: main (main.c:144)
This patch also gives an error and stops running when parsing command-line
arguments if the unix socket pathname is too long. And this patch adds the
redundant check in control_server() to prevent the regression when reusing
in the future.
Diffstat (limited to 'monitor/control.c')
-rw-r--r-- | monitor/control.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/monitor/control.c b/monitor/control.c index 9bbdc37dc..1cd79ca5d 100644 --- a/monitor/control.c +++ b/monitor/control.c @@ -1130,11 +1130,18 @@ static int server_fd = -1; void control_server(const char *path) { struct sockaddr_un addr; + size_t len; int fd; if (server_fd >= 0) return; + len = strlen(path); + if (len > sizeof(addr.sun_path) - 1) { + fprintf(stderr, "Socket name too long\n"); + return; + } + unlink(path); fd = socket(PF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0); @@ -1145,7 +1152,7 @@ void control_server(const char *path) memset(&addr, 0, sizeof(addr)); addr.sun_family = AF_UNIX; - strcpy(addr.sun_path, path); + strncpy(addr.sun_path, path, len); if (bind(fd, (struct sockaddr *) &addr, sizeof(addr)) < 0) { perror("Failed to bind server socket"); |