Use bcopy instead of strlcpy in uipc_bind and unp_connect, since

soun->sun_path isn't a null-terminated string. As UNIX(4) states, "the terminating NUL is not part of the address." Since strlcpy has to return "the total length of the string [it] tried to create," it walks off the end of soun->sun_path looking for a \0. This reverts r105332. Reported by: Ryan Stone
svn path=/head/; revision=180238
2025-01-31 16:57:10 +00:00 · 2008-07-03 23:26:10 +00:00 · 2008-07-03 23:26:10 +00:00 · 7928893d83 · 2020-12-20 02:59:44 +00:00
commit 7928893d83
parent 8bb8d6397d
1 changed files with 4 additions and 2 deletions
--- a/sys/kern/uipc_usrreq.c
+++ b/sys/kern/uipc_usrreq.c
@ -416,7 +416,8 @@ uipc_bind(struct socket *so, struct sockaddr *nam, struct thread *td)
 	UNP_PCB_UNLOCK(unp);

 	buf = malloc(namelen + 1, M_TEMP, M_WAITOK);
-	strlcpy(buf, soun->sun_path, namelen + 1);
+	bcopy(soun->sun_path, buf, namelen);
+	buf[namelen] = 0;

 restart:
 	vfslocked = 0;
@ -1129,7 +1130,8 @@ unp_connect(struct socket *so, struct sockaddr *nam, struct thread *td)
 	len = nam->sa_len - offsetof(struct sockaddr_un, sun_path);
 	if (len <= 0)
 		return (EINVAL);
-	strlcpy(buf, soun->sun_path, len + 1);
+	bcopy(soun->sun_path, buf, len);
+	buf[len] = 0;

 	UNP_PCB_LOCK(unp);
 	if (unp->unp_flags & UNP_CONNECTING) {