From 339bb5e0218c9575a2f4a588053e69527ae4dfb2 Mon Sep 17 00:00:00 2001 From: benno Date: Sun, 26 Apr 2015 20:12:03 +0000 Subject: [PATCH] mlarkin asks "bgpctl checks the length of the control socket path to make sure it fits. When browsing around last night I saw that bgpd does not. Any reason it shouldn't? Please commit" Add a check in parse.y to check this when reading the configuration. ok phessler@ henning@ --- usr.sbin/bgpd/control.c | 9 +++++++-- usr.sbin/bgpd/parse.y | 8 +++++++- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/usr.sbin/bgpd/control.c b/usr.sbin/bgpd/control.c index 345b35c4685..ca405ba4292 100644 --- a/usr.sbin/bgpd/control.c +++ b/usr.sbin/bgpd/control.c @@ -1,4 +1,4 @@ -/* $OpenBSD: control.c,v 1.76 2015/02/09 11:37:31 claudio Exp $ */ +/* $OpenBSD: control.c,v 1.77 2015/04/26 20:12:03 benno Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer @@ -50,7 +50,12 @@ control_init(int restricted, char *path) bzero(&sun, sizeof(sun)); sun.sun_family = AF_UNIX; - strlcpy(sun.sun_path, path, sizeof(sun.sun_path)); + if (strlcpy(sun.sun_path, path, sizeof(sun.sun_path)) >= + sizeof(sun.sun_path)) { + log_warn("control_init: socket name too long"); + close(fd); + return (-1); + } if (unlink(path) == -1) if (errno != ENOENT) { diff --git a/usr.sbin/bgpd/parse.y b/usr.sbin/bgpd/parse.y index d50b5001822..a34d87b9fbd 100644 --- a/usr.sbin/bgpd/parse.y +++ b/usr.sbin/bgpd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.279 2015/04/25 15:28:18 phessler Exp $ */ +/* $OpenBSD: parse.y,v 1.280 2015/04/26 20:12:03 benno Exp $ */ /* * Copyright (c) 2002, 2003, 2004 Henning Brauer @@ -23,6 +23,7 @@ #include #include #include +#include #include #include #include @@ -578,6 +579,11 @@ conf_main : AS as4number { conf->connectretry = $2; } | SOCKET STRING restricted { + if (strlen($2) >= + sizeof(((struct sockaddr_un *)0)->sun_path)) { + yyerror("socket path too long"); + YYERROR; + } if ($3) { free(conf->rcsock); conf->rcsock = $2; -- 2.20.1