Properly check the lengths of Unix-socket pathnames.

If something is too long to fit in a sun_addr, we should spot that
well in advance and not try.

diff --git a/unix/uxagentc.c b/unix/uxagentc.c
index 7732a9a1744842e69fd05d23dcf10d7fdee64260..ffc5879cfbc0f5dba078f56ab72f2690908963cc 100644 (file)
--- a/unix/uxagentc.c
+++ b/unix/uxagentc.c
@@ -134,7 +134,7 @@ agent_pending_query *agent_query(
     agent_pending_query *conn;
 
     name = getenv("SSH_AUTH_SOCK");
-    if (!name)
+    if (!name || strlen(name) >= sizeof(addr.sun_path))
        goto failure;
 
     sock = socket(PF_UNIX, SOCK_STREAM, 0);
@@ -146,7 +146,7 @@ agent_pending_query *agent_query(
     cloexec(sock);
 
     addr.sun_family = AF_UNIX;
-    strncpy(addr.sun_path, name, sizeof(addr.sun_path));
+    strcpy(addr.sun_path, name);
     if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) < 0) {
        close(sock);
        goto failure;

diff --git a/unix/uxnet.c b/unix/uxnet.c
index 47490a1eefe235de82fdcf35d8a70c24c5a2ee35..79f4fbceea3bb7d04984b5c335aec93acaf35b75 100644 (file)
--- a/unix/uxnet.c
+++ b/unix/uxnet.c
@@ -1620,7 +1620,8 @@ SockAddr unix_sock_addr(const char *path)
 
     if (n < 0)
        ret->error = "snprintf failed";
-    else if (n >= sizeof ret->hostname)
+    else if (n >= sizeof ret->hostname ||
+             n >= sizeof(((struct sockaddr_un *)0)->sun_path))
        ret->error = "socket pathname too long";
 
 #ifndef NO_IPV6