File svcunix-create-overflow.patch of Package glibc.33856

Overview Repositories Revisions Requests Users Attributes Meta

File svcunix-create-overflow.patch of Package glibc.33856

From f545ad4928fa1f27a3075265182b38a4f939a5f7 Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Mon, 17 Jan 2022 10:21:34 +0100
Subject: [PATCH] CVE-2022-23218: Buffer overflow in sunrpc svcunix_create (bug
 28768)

The sunrpc function svcunix_create suffers from a stack-based buffer
overflow with overlong pathname arguments.

Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
---
 NEWS                  |  3 +++
 sunrpc/Makefile       |  2 +-
 sunrpc/svc_unix.c     | 11 ++++-------
 sunrpc/tst-bug28768.c | 42 ++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 50 insertions(+), 8 deletions(-)
 create mode 100644 sunrpc/tst-bug28768.c

Index: glibc-2.22/sunrpc/svc_unix.c
===================================================================
--- glibc-2.22.orig/sunrpc/svc_unix.c
+++ glibc-2.22/sunrpc/svc_unix.c
@@ -153,7 +153,10 @@ svcunix_create (int sock, u_int sendsize
   SVCXPRT *xprt;
   struct unix_rendezvous *r;
   struct sockaddr_un addr;
-  socklen_t len = sizeof (struct sockaddr_in);
+  socklen_t len = sizeof (addr);
+
+  if (__sockaddr_un_set (&addr, path) < 0)
+    return NULL;
 
   if (sock == RPC_ANYSOCK)
     {
@@ -164,12 +167,6 @@ svcunix_create (int sock, u_int sendsize
 	}
       madesock = TRUE;
     }
-  memset (&addr, '\0', sizeof (addr));
-  addr.sun_family = AF_UNIX;
-  len = strlen (path) + 1;
-  memcpy (addr.sun_path, path, len);
-  len += sizeof (addr.sun_family);
-
   __bind (sock, (struct sockaddr *) &addr, len);
 
   if (__getsockname (sock, (struct sockaddr *) &addr, &len) != 0

Places

File svcunix-create-overflow.patch of Package glibc.33856

Places