Skip Menu |
 

This queue is for tickets about the Socket CPAN distribution.

Report information
The Basics
Id: 75623
Status: resolved
Priority: 0/
Queue: Socket

People
Owner: Nobody in particular
Requestors: leonerd-cpan [...] leonerd.org.uk
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: 2.000

Attachments
0001-Socket.xs-heap-buffer-overflow-with-abstract-AF_UNIX.patch



Subject: Socket.xs heap-buffer-overflow with abstract AF_UNIX paths
Attached patch -- Paul Evans
Subject: 0001-Socket.xs-heap-buffer-overflow-with-abstract-AF_UNIX.patch
From 0ffb95f270b1e08e8ad99c36417f2ec48c4f9b05 Mon Sep 17 00:00:00 2001 From: Reini Urban <rurban@x-ray.at> Date: Tue, 6 Mar 2012 17:07:35 -0600 Subject: [PATCH] Socket.xs heap-buffer-overflow with abstract AF_UNIX paths AddressSanitizer heap-buffer-overflow on Socket.xs:718 Copy(sun_ad, &addr, sizeof(addr), char); on linux with cpan/Socket/t/Socket.t test 17 sockaddr_un can handle abstract AF_UNIX. Avoid reading past sun_ad->pv size and zero the uninitialized data. --- cpan/Socket/Socket.xs | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) diff --git a/cpan/Socket/Socket.xs b/cpan/Socket/Socket.xs index 665553c..4e69cb8 100644 --- a/cpan/Socket/Socket.xs +++ b/cpan/Socket/Socket.xs @@ -713,9 +713,15 @@ unpack_sockaddr_un(sun_sv) if (sockaddrlen != sizeof(addr)) croak("Bad arg length for %s, length is %"UVuf", should be %"UVuf, "Socket::unpack_sockaddr_un", (UV)sockaddrlen, (UV)sizeof(addr)); -# endif - Copy(sun_ad, &addr, sizeof(addr), char); +# else + if (sockaddrlen < sizeof(addr)) { + Copy(sun_ad, &addr, sockaddrlen, char); + Zero(&addr+sockaddrlen, sizeof(addr)-sockaddrlen, char); + } else { + Copy(sun_ad, &addr, sizeof(addr), char); + } +# endif if (addr.sun_family != AF_UNIX) croak("Bad address family for %s, got %d, should be %d", -- 1.7.5.4
Download (untitled) / with headers
text/plain 135b
Applied (modified) in latest source code. Will be in next release; which may be a 1.99_ddd devel, or the real 2.000. -- Paul Evans
Released as 2.000 -- Paul Evans


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.