* fhandler_socket.cc (fhandler_socket::bind): Fix length check of

	AF_LOCAL filename so it never accesses memory beyond namelen.  Also
	make sure filename is NUL-terminated.

1 files changed, 6 insertions, 4 deletions

diff --git a/winsup/cygwin/fhandler_socket.cc b/winsup/cygwin/fhandler_socket.cc
index 6625eef..6f13e51 100644
--- a/winsup/cygwin/fhandler_socket.cc
+++ b/winsup/cygwin/fhandler_socket.cc
@@ -900,17 +900,19 @@ fhandler_socket::bind (const struct sockaddr *name, int namelen)
     {
 #define un_addr ((struct sockaddr_un *) name)
       struct sockaddr_in sin;
-      int len = sizeof sin;
+      int len = namelen - offsetof (struct sockaddr_un, sun_path);
 
-      if (strlen (un_addr->sun_path) >= UNIX_PATH_LEN)
+      /* Check that name is within bounds and NUL-terminated. */
+      if (len <= 1 || len > UNIX_PATH_LEN
+	  || !memchr (un_addr->sun_path, '\0', len))
 	{
-	  set_errno (ENAMETOOLONG);
+	  set_errno (len < 1 ? EINVAL : ENAMETOOLONG);
 	  goto out;
 	}
       sin.sin_family = AF_INET;
       sin.sin_port = 0;
       sin.sin_addr.s_addr = htonl (INADDR_LOOPBACK);
-      if (::bind (get_socket (), (sockaddr *) &sin, len))
+      if (::bind (get_socket (), (sockaddr *) &sin, len = sizeof sin))
 	{
 	  syscall_printf ("AF_LOCAL: bind failed");
 	  set_winsock_errno ();