From: Christian Hofstaedtler <christian@hofstaedtler.name>
Date: Sat, 24 Aug 2013 13:22:12 +0000 (+0200)
Subject: Don't overflow the sockaddr_un-provided static buffer
X-Git-Tag: rec-3.6.0-rc1~506^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=06dbd1bdad44001f80313f6b663387d6e16b1eec;p=thirdparty%2Fpdns.git

Don't overflow the sockaddr_un-provided static buffer

sun_path is a buffer with a static length. A too long socket-dir could
overflow it.

Fix for Coverity CID 1029977 & 1029978 (Recursor). While the Auth had
the same problem, there were no Coverity results for it, likely because
of the use of strncpy there.
---

diff --git a/pdns/dynlistener.cc b/pdns/dynlistener.cc
index d70e5d724d..117c8b5e8b 100644
--- a/pdns/dynlistener.cc
+++ b/pdns/dynlistener.cc
@@ -96,7 +96,11 @@ bool DynListener::testLive(const string& fname)
 
   memset(&addr, 0, sizeof(addr));
   addr.sun_family = AF_UNIX;
-  strncpy(addr.sun_path, fname.c_str(), fname.length());
+  if(fname.length()+1 > sizeof(addr.sun_path)) {
+    L<<Logger::Critical<<"Unable to open controlsocket, path '"<<fname<<"' too long."<<endl;
+    exit(1);
+  }
+  strcpy(addr.sun_path, fname.c_str());
 
   int status = connect(fd, (struct sockaddr*)&addr, sizeof(addr));
   close(fd);
@@ -118,7 +122,11 @@ void DynListener::listenOnUnixDomain(const string& fname)
   struct sockaddr_un local;
   memset(&local,0,sizeof(local));
   local.sun_family=AF_UNIX;
-  strncpy(local.sun_path, fname.c_str(), fname.length());
+  if(fname.length()+1 > sizeof(local.sun_path)) {
+    L<<Logger::Critical<<"Unable to bind to controlsocket, path '"<<fname<<"' too long."<<endl;
+    exit(1);
+  }
+  strcpy(local.sun_path, fname.c_str());
   
   createSocketAndBind(AF_UNIX, (struct sockaddr*)& local, sizeof(local));
   d_socketname=fname;
@@ -382,4 +390,4 @@ string DynListener::getHelp()
   // hack: this removes the duplicate quit method
   funcs.resize(unique(funcs.begin(), funcs.end()) - funcs.begin());
   return boost::join(funcs, "\n");
-}
\ No newline at end of file
+}
diff --git a/pdns/rec_channel.cc b/pdns/rec_channel.cc
index 38d70daf22..14567a3023 100644
--- a/pdns/rec_channel.cc
+++ b/pdns/rec_channel.cc
@@ -45,6 +45,8 @@ int RecursorControlChannel::listen(const string& fname)
 
   memset(&d_local,0,sizeof(d_local));
   d_local.sun_family=AF_UNIX;
+  if(fname.length()+1 > sizeof(d_local.sun_path))
+    throw PDNSException("Unable to bind to controlsocket, path '"+fname+"' too long.");
   strcpy(d_local.sun_path, fname.c_str());
     
   if(bind(d_fd, (sockaddr*)&d_local,sizeof(d_local))<0)