From: Vincent Bernat <vincent@bernat.ch>
Date: Sat, 9 May 2026 12:38:33 +0000 (+0200)
Subject: daemon/seccomp: fix out-of-bounds index of syscall_names
X-Git-Tag: 1.0.22~26
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=7ba39ef0cd5b9ab50b852aa960be3a5fe7f021af;p=thirdparty%2Flldpd.git

daemon/seccomp: fix out-of-bounds index of syscall_names

The bound used `sizeof(syscall_names)` (byte size of the pointer array)
instead of the entry count, allowing the SIGSYS handler to read up to
`sizeof(char*)-1` entries past the end of the table when an unexpected
syscall number was trapped.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---

diff --git a/src/daemon/priv-seccomp.c b/src/daemon/priv-seccomp.c
index a06065a5..0856ac66 100644
--- a/src/daemon/priv-seccomp.c
+++ b/src/daemon/priv-seccomp.c
@@ -71,7 +71,9 @@ priv_seccomp_trap_handler(int signal, siginfo_t *info, void *vctx)
 	/* Log them. Technically, `log_warnx()` is not signal safe, but we are
 	 * unlikely to reenter here. */
 	log_warnx("seccomp", "invalid syscall attempted: %s(%d)",
-	    (syscall < sizeof(syscall_names)) ? syscall_names[syscall] : "unknown",
+	    (syscall < sizeof(syscall_names) / sizeof(syscall_names[0])) ?
+		syscall_names[syscall] :
+		"unknown",
 	    syscall);
 
 	/* Kill children and exit */