@@ -148,12 +148,18 @@ static int connect_socket(const char *path_or_fd) {
return fd;
}
+ if (strlen(path_or_fd) >= sizeof(addr.sun_path)) {
+ fprintf(stderr, "UNIX socket path \"%s\" too long (%zd >= %zd)\n",
+ path_or_fd, strlen(path_or_fd), sizeof(addr.sun_path));
+ return -1;
+ }
+
fd = socket(AF_UNIX, SOCK_STREAM, 0);
if (fd == -1)
return -1;
addr.sun_family = AF_UNIX;
- strncpy(addr.sun_path, path_or_fd, sizeof(addr.sun_path));
+ strcpy(addr.sun_path, path_or_fd);
if (connect(fd, (const struct sockaddr *)&addr, sizeof(addr)) == -1) {
close(fd);
return -1;
@@ -174,13 +180,19 @@ static int listen_socket(const char *path_or_fd) {
return fd;
}
+ if (strlen(path_or_fd) >= sizeof(addr.sun_path)) {
+ fprintf(stderr, "UNIX socket path \"%s\" too long (%zd >= %zd)\n",
+ path_or_fd, strlen(path_or_fd), sizeof(addr.sun_path));
+ return -1;
+ }
+
/* if not a number, assume a socket path */
fd = socket(AF_UNIX, SOCK_STREAM, 0);
if (fd == -1)
return -1;
addr.sun_family = AF_UNIX;
- strncpy(addr.sun_path, path_or_fd, sizeof(addr.sun_path));
+ strcpy(addr.sun_path, path_or_fd);
if (bind(fd, (const struct sockaddr *)&addr, sizeof(addr)) == -1) {
close(fd);
return -1;
Check the socket path length to ensure sun_path is NUL terminated. This was spotted by Citrix's Coverity. Also use strcpy to avoid a warning "'__builtin_strncpy' specified bound 108 equals destination size [-Werror=stringop-truncation]" flagged by gcc 10. Signed-off-by: Jason Andryuk <jandryuk@gmail.com> --- CC: Olaf Hering <olaf@aepfle.de> With Ubuntu's gcc-10, which is a pre-release "gcc-10 (Ubuntu 10-20200411-0ubuntu1) 10.0.1 20200411 (experimental)", I couldn't actualy generate the strncpy warning. tools/libvchan/vchan-socket-proxy.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-)