]> git.ipfire.org Git - thirdparty/open-vm-tools.git/commitdiff
projects / thirdparty / open-vm-tools.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 13df0e2)
fix buffer overrun in AsyncTCPSocketConnect()
authorOliver Kurth <okurth@vmware.com>
Wed, 7 Feb 2018 00:32:40 +0000 (16:32 -0800)
committerOliver Kurth <okurth@vmware.com>
Wed, 7 Feb 2018 00:32:40 +0000 (16:32 -0800)
Callers may pass a struct smaller than sockaddr_storage, but a
sockaddr_storage-sized chunk gets copied to asock->remoteAddr.
memcpy() should be used.

One such caller is AsyncSocket_ConnectUnixDomain(). It passes sockaddr_un.
sizeof(sockaddr_un) == 110, sizeof(sockaddr_storage) == 128.

Caught by AddressSanitizer.

open-vm-tools/lib/asyncsocket/asyncsocket.c patch | blob | blame | history

diff --git a/open-vm-tools/lib/asyncsocket/asyncsocket.c b/open-vm-tools/lib/asyncsocket/asyncsocket.c
index 7e8c6e35e42fb5d295ee071058bf8a7ac7c21c74..65b07109afc0f3ef2823fc01a6e68bf123dacd01 100644 (file)
--- a/open-vm-tools/lib/asyncsocket/asyncsocket.c
+++ b/open-vm-tools/lib/asyncsocket/asyncsocket.c
@@ -2046,7 +2046,7 @@ AsyncTCPSocketConnect(struct sockaddr_storage *addr,         // IN
    asock->clientData = clientData;
 
    /* Store a copy of the sockaddr_storage so we can look it up later. */
-   asock->remoteAddr = *addr;
+   memcpy(&(asock->remoteAddr), addr, addrLen);
    asock->remoteAddrLen = addrLen;
 
    AsyncTCPSocketUnlock(asock);
Mirror of https://github.com/vmware/open-vm-tools.git