Message ID | 20190715064623.623B7E0148@unicorn.suse.cz |
---|---|
State | Accepted |
Delegated to: | Pablo Neira |
Headers | show |
Series | [conntrack-tools] conntrackd: use correct max unix path length | expand |
On Mon, Jul 15, 2019 at 08:46:23AM +0200, Michal Kubecek wrote: > When copying value of "Path" option for unix socket, target buffer size is > UNIX_MAX_PATH so that we must not copy more bytes than that. Also make sure > that the path is null terminated and bail out if user provided path is too > long rather than silently truncate it. Applied, thanks Michal.
diff --git a/src/read_config_yy.y b/src/read_config_yy.y index ceba6fc0d242..4311cd6c9a2f 100644 --- a/src/read_config_yy.y +++ b/src/read_config_yy.y @@ -689,8 +689,13 @@ unix_options: unix_option : T_PATH T_PATH_VAL { - strncpy(conf.local.path, $2, PATH_MAX); + strncpy(conf.local.path, $2, UNIX_PATH_MAX); free($2); + if (conf.local.path[UNIX_PATH_MAX - 1]) { + dlog(LOG_ERR, "UNIX Path is longer than %u characters", + UNIX_PATH_MAX - 1); + exit(EXIT_FAILURE); + } }; unix_option : T_BACKLOG T_NUMBER
When copying value of "Path" option for unix socket, target buffer size is UNIX_MAX_PATH so that we must not copy more bytes than that. Also make sure that the path is null terminated and bail out if user provided path is too long rather than silently truncate it. Fixes: ce06fb606906 ("conntrackd: use strncpy() to unix path") Signed-off-by: Michal Kubecek <mkubecek@suse.cz> --- src/read_config_yy.y | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)