public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug network/28768] New: Buffer overflow in svcunix_create with long pathnames
@ 2022-01-12  9:40 fweimer at redhat dot com
  2022-01-12  9:40 ` [Bug network/28768] " fweimer at redhat dot com
                   ` (5 more replies)
  0 siblings, 6 replies; 7+ messages in thread
From: fweimer at redhat dot com @ 2022-01-12  9:40 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=28768

            Bug ID: 28768
           Summary: Buffer overflow in svcunix_create with long pathnames
           Product: glibc
           Version: 2.34
            Status: NEW
          Severity: normal
          Priority: P2
         Component: network
          Assignee: unassigned at sourceware dot org
          Reporter: fweimer at redhat dot com
  Target Milestone: ---
             Flags: security+

This is similar to bug 22542, but in different code:

SVCXPRT *
svcunix_create (int sock, u_int sendsize, u_int recvsize, char *path)
{
  bool_t madesock = FALSE;
  SVCXPRT *xprt;
  struct unix_rendezvous *r;
  struct sockaddr_un addr;
  socklen_t len = sizeof (struct sockaddr_in);

  if (sock == RPC_ANYSOCK)
    {
      if ((sock = __socket (AF_UNIX, SOCK_STREAM, 0)) < 0)
        {
          perror (_("svc_unix.c - AF_UNIX socket creation problem"));
          return (SVCXPRT *) NULL;
        }
      madesock = TRUE;
    }
  memset (&addr, '\0', sizeof (addr));
  addr.sun_family = AF_UNIX;
  len = strlen (path) + 1;
  memcpy (addr.sun_path, path, len);
  len += sizeof (addr.sun_family);
[…]

There is no length check, either.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2022-01-17 13:07 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-01-12  9:40 [Bug network/28768] New: Buffer overflow in svcunix_create with long pathnames fweimer at redhat dot com
2022-01-12  9:40 ` [Bug network/28768] " fweimer at redhat dot com
2022-01-14  8:14 ` [Bug network/28768] Buffer overflow in svcunix_create with long pathnames (CVE-2022-23218) siddhesh at sourceware dot org
2022-01-14 21:21 ` sam at gentoo dot org
2022-01-15 15:41 ` aurelien at aurel32 dot net
2022-01-17  9:09 ` pgowda.cve at gmail dot com
2022-01-17 13:07 ` fweimer at redhat dot com

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).