From a51207bf473193016e38814ceea27335f517cb16 Mon Sep 17 00:00:00 2001
From: "Ned T. Crigler" <crigler@users.sourceforge.net>
Date: Mon, 4 Aug 2014 12:40:20 -0700
Subject: [PATCH] Prevent buffer overflow with a long socket path name.

The code wasn't checking for overflow before copying the socket path
name to to the sun_path field, which is usually much smaller than
PATH_MAX.

Report and initial patch by Paul Wilkinson.
---
 attach.c | 6 ++++++
 master.c | 6 ++++++
 2 files changed, 12 insertions(+)

diff --git a/attach.c b/attach.c
index 8137130..a4ae626 100644
--- a/attach.c
+++ b/attach.c
@@ -52,6 +52,12 @@ connect_socket(char *name)
 	int s;
 	struct sockaddr_un sockun;
 
+	if (strlen(name) > sizeof(sockun.sun_path) - 1)
+	{
+		errno = ENAMETOOLONG;
+		return -1;
+	}
+
 	s = socket(PF_UNIX, SOCK_STREAM, 0);
 	if (s < 0)
 		return -1;
diff --git a/master.c b/master.c
index 9f51da0..86195d1 100644
--- a/master.c
+++ b/master.c
@@ -185,6 +185,12 @@ create_socket(char *name)
 	int s;
 	struct sockaddr_un sockun;
 
+	if (strlen(name) > sizeof(sockun.sun_path) - 1)
+	{
+		errno = ENAMETOOLONG;
+		return -1;
+	}
+
 	s = socket(PF_UNIX, SOCK_STREAM, 0);
 	if (s < 0)
 		return -1;