From: Oliver Kurth <okurth@vmware.com>
Date: Wed, 7 Feb 2018 00:32:40 +0000 (-0800)
Subject: fix buffer overrun in AsyncTCPSocketConnect()
X-Git-Tag: stable-10.3.0~130
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ee4bd450c4449f8905dbca2e4759660fda5c58dc;p=thirdparty%2Fopen-vm-tools.git

fix buffer overrun in AsyncTCPSocketConnect()

Callers may pass a struct smaller than sockaddr_storage, but a
sockaddr_storage-sized chunk gets copied to asock->remoteAddr.
memcpy() should be used.

One such caller is AsyncSocket_ConnectUnixDomain(). It passes sockaddr_un.
sizeof(sockaddr_un) == 110, sizeof(sockaddr_storage) == 128.

Caught by AddressSanitizer.
---

diff --git a/open-vm-tools/lib/asyncsocket/asyncsocket.c b/open-vm-tools/lib/asyncsocket/asyncsocket.c
index 7e8c6e35e..65b07109a 100644
--- a/open-vm-tools/lib/asyncsocket/asyncsocket.c
+++ b/open-vm-tools/lib/asyncsocket/asyncsocket.c
@@ -2046,7 +2046,7 @@ AsyncTCPSocketConnect(struct sockaddr_storage *addr,         // IN
    asock->clientData = clientData;
 
    /* Store a copy of the sockaddr_storage so we can look it up later. */
-   asock->remoteAddr = *addr;
+   memcpy(&(asock->remoteAddr), addr, addrLen);
    asock->remoteAddrLen = addrLen;
 
    AsyncTCPSocketUnlock(asock);