New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[PATCH] 0ffb95f Socket.xs heap-buffer-overflow with abstract AF_UNIX paths #11989
Comments
From @rurbanThis is a bug report for perl from rurban@cpanel.net, From 0ffb95f270b1e08e8ad99c36417f2ec48c4f9b05 Mon Sep 17 00:00:00 2001 AddressSanitizer heap-buffer-overflow on Socket.xs:718 Copy(sun_ad, &addr, sizeof(addr), char); Avoid reading past sun_ad->pv size and zero the uninitialized data. cpan/Socket/Socket.xs | 10 ++++++++-- Inline Patchdiff --git a/cpan/Socket/Socket.xs b/cpan/Socket/Socket.xs
index 665553c..4e69cb8 100644
--- a/cpan/Socket/Socket.xs
+++ b/cpan/Socket/Socket.xs
@@ -713,9 +713,15 @@ unpack_sockaddr_un(sun_sv)
if (sockaddrlen != sizeof(addr))
croak("Bad arg length for %s, length is %"UVuf", should be %"UVuf,
"Socket::unpack_sockaddr_un", (UV)sockaddrlen, (UV)sizeof(addr));
-# endif
-
Copy(sun_ad, &addr, sizeof(addr), char);
+# else
+ if (sockaddrlen < sizeof(addr)) {
+ Copy(sun_ad, &addr, sockaddrlen, char);
+ Zero(&addr+sockaddrlen, sizeof(addr)-sockaddrlen, char);
+ } else {
+ Copy(sun_ad, &addr, sizeof(addr), char);
+ }
+# endif
if (addr.sun_family != AF_UNIX)
croak("Bad address family for %s, got %d, should be %d",
--
Flags: Site configuration information for perl 5.15.7: Configured by rurban at Sun Jan 22 12:13:34 CST 2012. Summary of my perl5 (revision 5 version 15 subversion 7) configuration: Locally applied patches: @INC for perl 5.15.7: Environment for perl 5.15.7: |
From @rurbanRe-attach patch |
From @rurban0001-Socket.xs-heap-buffer-overflow-with-abstract-AF_UNIX.patchFrom 0ffb95f270b1e08e8ad99c36417f2ec48c4f9b05 Mon Sep 17 00:00:00 2001
From: Reini Urban <rurban@x-ray.at>
Date: Tue, 6 Mar 2012 17:07:35 -0600
Subject: [PATCH] Socket.xs heap-buffer-overflow with abstract AF_UNIX paths
AddressSanitizer heap-buffer-overflow on Socket.xs:718 Copy(sun_ad, &addr, sizeof(addr), char);
on linux with cpan/Socket/t/Socket.t test 17 sockaddr_un can handle abstract AF_UNIX.
Avoid reading past sun_ad->pv size and zero the uninitialized data.
---
cpan/Socket/Socket.xs | 10 ++++++++--
1 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/cpan/Socket/Socket.xs b/cpan/Socket/Socket.xs
index 665553c..4e69cb8 100644
--- a/cpan/Socket/Socket.xs
+++ b/cpan/Socket/Socket.xs
@@ -713,9 +713,15 @@ unpack_sockaddr_un(sun_sv)
if (sockaddrlen != sizeof(addr))
croak("Bad arg length for %s, length is %"UVuf", should be %"UVuf,
"Socket::unpack_sockaddr_un", (UV)sockaddrlen, (UV)sizeof(addr));
-# endif
-
Copy(sun_ad, &addr, sizeof(addr), char);
+# else
+ if (sockaddrlen < sizeof(addr)) {
+ Copy(sun_ad, &addr, sockaddrlen, char);
+ Zero(&addr+sockaddrlen, sizeof(addr)-sockaddrlen, char);
+ } else {
+ Copy(sun_ad, &addr, sizeof(addr), char);
+ }
+# endif
if (addr.sun_family != AF_UNIX)
croak("Bad address family for %s, got %d, should be %d",
--
1.7.5.4
|
The RT System itself - Status changed from 'new' to 'open' |
From [Unknown Contact. See original ticket]This was fixed in Socket 2.000, imported to blead in |
@rjbs - Status changed from 'open' to 'resolved' |
Migrated from rt.perl.org#111594 (status was 'resolved')
Searchable as RT111594$
The text was updated successfully, but these errors were encountered: