unix: check that a length of a socket is less than UNIX_PATH_MAX

CID 190774 (#1 of 1): Out-of-bounds access (OVERRUN) 5. overrun-buffer-arg: Overrunning array addr.sun_path of 108 bytes by passing it to a function which accesses it at byte offset 4094 using argument ui->ue->name.len (which evaluates to 4095). Signed-off-by: Andrei Vagin <avagin@virtuozzo.com>
cyrillos · Oct 30, 2018 · 682610a · 682610a
1 parent 80d2c21
commit 682610a
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/criu/sk-unix.c b/criu/sk-unix.c
@@ -1408,7 +1408,7 @@ static int bind_on_deleted(int sk, struct unix_sk_info *ui)
 	bool renamed = false;
 	int ret;
 
-	if (ui->ue->name.len >= sizeof(path)) {
+	if (ui->ue->name.len >= sizeof(UNIX_PATH_MAX)) {
 		pr_err("ghost: Too long name for socket id %#x ino %d name %s\n",
 		       ui->ue->id, ui->ue->ino, ui->name);
 		return -ENOSPC;