[Bug 243747] Add another length check to the iruserok_sa

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=243747

            Bug ID: 243747
           Summary: Add another length check to the iruserok_sa
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: misc
          Assignee: bugs at FreeBSD.org
          Reporter: areiter at veracode.com

This is not really a bug, I have not seen it misused in code utilizing the API
call, and I wonder the actual number of users of the call, but I file this if
it might be worth adding for robustness sake. Apologies to open a ticket for
such a small and likely inconsequential-if-not-changed bit of nitpickery, but
so it goes:

This is simply adding an additional length check to iruserok_sa() function in
lib/libc/net/rcmd.c. There is a check for the length on line 441:

   427  iruserok_sa(const void *ra, int rlen, int superuser, const char *ruser,
   428      const char *luser)
   429  {
   430          char *cp;
   431          struct stat sbuf;
   432          struct passwd *pwd;
   433          FILE *hostf;
   434          uid_t uid;
   435          int first;
   436          char pbuf[MAXPATHLEN];
   437          const struct sockaddr *raddr;
   438          struct sockaddr_storage ss;
   439  
   440          /* avoid alignment issue */
   441          if (rlen > sizeof(ss))
   442                  return(-1);
   443          memcpy(&ss, ra, rlen);


Is worth changing to  `(rlen > sizeof(ss) || rlen <= 0) ` ?

-- 
You are receiving this mail because:
You are the assignee for the bug.