From 104e110e1af1818cda86ddf18671c0c1b031a549 Mon Sep 17 00:00:00 2001 From: Florian Weimer Date: Mon, 17 Jan 2022 10:21:34 +0100 Subject: [PATCH] [PATCH] CVE-2022-23219: Buffer overflow in sunrpc clnt_create for "unix" (bug 22542) Processing an overlong pathname in the sunrpc clnt_create function results in a stack-based buffer overflow. Reviewed-by: Siddhesh Poyarekar Helmut Grohne: Ported to glibc 2.28. Inlined __sockaddr_un_set. Gbp-Pq: Topic all Gbp-Pq: Name git-CVE-2022-23219-Buffer-overflow-in-sunrpc-clnt_create.diff --- sunrpc/clnt_gen.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/sunrpc/clnt_gen.c b/sunrpc/clnt_gen.c index 13ced8994..f8682567d 100644 --- a/sunrpc/clnt_gen.c +++ b/sunrpc/clnt_gen.c @@ -57,9 +57,17 @@ clnt_create (const char *hostname, u_long prog, u_long vers, if (strcmp (proto, "unix") == 0) { - memset ((char *)&sun, 0, sizeof (sun)); + size_t name_length = strlen(hostname); + if (name_length >= sizeof(sun.sun_path)) + { + struct rpc_createerr *ce = &get_rpc_createerr (); + ce->cf_stat = RPC_SYSTEMERROR; + __set_errno (EINVAL); /* Error code used by the kernel. */ + ce->cf_error.re_errno = errno; + return NULL; + } sun.sun_family = AF_UNIX; - strcpy (sun.sun_path, hostname); + memcpy(sun.sun_path, hostname, name_length + 1); sock = RPC_ANYSOCK; client = clntunix_create (&sun, prog, vers, &sock, 0, 0); if (client == NULL) -- 2.30.2