From b9495e8d58a87fc003cb55786b2cf9b2b9c7a65e Mon Sep 17 00:00:00 2001
From: Stefan Hajnoczi <stefanha@gmail.com>
Date: Fri, 16 Dec 2016 10:20:27 +0000
Subject: core: prevent invalid socket symlink target dereference (#4895)

socket_find_symlink_target() returns a pointer to
p->address.sockaddr.un.sun_path when the first byte is non-zero without
checking that this is AF_UNIX socket.  Since sockaddr is a union this
byte could be non-zero for AF_INET sockets.

Existing callers happen to be safe but is an accident waiting to happen.
Use socket_address_get_path() since it checks for AF_UNIX.
---
 src/core/socket.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

(limited to 'src/core/socket.c')

diff --git a/src/core/socket.c b/src/core/socket.c
index fee9b702e6..0960a30039 100644
--- a/src/core/socket.c
+++ b/src/core/socket.c
@@ -423,8 +423,7 @@ static const char *socket_find_symlink_target(Socket *s) {
                         break;
 
                 case SOCKET_SOCKET:
-                        if (p->address.sockaddr.un.sun_path[0] != 0)
-                                f = p->address.sockaddr.un.sun_path;
+                        f = socket_address_get_path(&p->address);
                         break;
 
                 default:
-- 
cgit v1.2.3-54-g00ecf