Hi,
The implementation of getpeername(fd, addr, len) (in
libc/sysdeps/mach/hurd/getpeername.c) performs addr->sa_family = type;
without checking that *len is big enough, so that getpeername(fd, NULL,
NULL); crashes (while it is a common way to determine whether an fd is a
socket).
Here is some patch:
2005-08-11 Samuel Thibault <[EMAIL PROTECTED]>
* sysdeps/mach/hurd/getpeername.c (__getpeername): Check length
of buffer before writing the sa_family member.
Index: sysdeps/mach/hurd/getpeername.c
===================================================================
RCS file: /cvs/glibc/libc/sysdeps/mach/hurd/getpeername.c,v
retrieving revision 1.11
diff -u -p -r1.11 getpeername.c
--- sysdeps/mach/hurd/getpeername.c 6 Jul 2001 04:55:57 -0000 1.11
+++ sysdeps/mach/hurd/getpeername.c 10 Aug 2005 23:36:00 -0000
@@ -54,7 +54,8 @@ __getpeername (int fd, __SOCKADDR_ARG ad
__vm_deallocate (__mach_task_self (), (vm_address_t) buf, buflen);
}
- addr->sa_family = type;
+ if (offsetof (typeof (addr->sa_family), sa_family) + sizeof
(addr->sa_family) >= *len)
+ addr->sa_family = type;
return 0;
}
_______________________________________________
Bug-hurd mailing list
Bug-hurd@gnu.org
http://lists.gnu.org/mailman/listinfo/bug-hurd
