[PATCH] CVE-2022-23219: Buffer overflow in sunrpc clnt_create for "unix" (bug 22542)

Processing an overlong pathname in the sunrpc clnt_create function
results in a stack-based buffer overflow.

Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Helmut Grohne: Ported to glibc 2.28. Inlined __sockaddr_un_set.

Gbp-Pq: Topic all
Gbp-Pq: Name git-CVE-2022-23219-Buffer-overflow-in-sunrpc-clnt_create.diff

diff --git a/sunrpc/clnt_gen.c b/sunrpc/clnt_gen.c
index 13ced8994e49d4ee744a35c3ac4bd840f5d0abb5..f8682567d0ad03bd53bfce9ee83ce1d9699dbfaf 100644 (file)
--- a/sunrpc/clnt_gen.c
+++ b/sunrpc/clnt_gen.c
@@ -57,9 +57,17 @@ clnt_create (const char *hostname, u_long prog, u_long vers,
 
   if (strcmp (proto, "unix") == 0)
     {
-      memset ((char *)&sun, 0, sizeof (sun));
+      size_t name_length = strlen(hostname);
+      if (name_length >= sizeof(sun.sun_path))
+       {
+         struct rpc_createerr *ce = &get_rpc_createerr ();
+         ce->cf_stat = RPC_SYSTEMERROR;
+         __set_errno (EINVAL);     /* Error code used by the kernel.  */
+         ce->cf_error.re_errno = errno;
+         return NULL;
+       }
       sun.sun_family = AF_UNIX;
-      strcpy (sun.sun_path, hostname);
+      memcpy(sun.sun_path, hostname, name_length + 1);
       sock = RPC_ANYSOCK;
       client = clntunix_create (&sun, prog, vers, &sock, 0, 0);
       if (client == NULL)