socket-util-unix: Avoid buffer read overrun in get_unix_name_len().

If the socket length does not include any of the bytes of the path, then
the code should not read even the first byte of the path.

Found by valgrind.

Reported-by: Joe Stringer <joe@ovn.org>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Thadeu Lima de Souza Cascardo <cascardo@redhat.com>
Acked-by: Joe Stringer <joe@ovn.org>

diff --git a/lib/socket-util-unix.c b/lib/socket-util-unix.c
index 5d4b88c4a239449f8f991b0076dbfe48c4549185..59f63fcceb8782fc0ced210aac84dd390e23feaf 100644 (file)
--- a/lib/socket-util-unix.c
+++ b/lib/socket-util-unix.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2014 Nicira, Inc.
+ * Copyright (c) 2014, 2016 Nicira, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -389,7 +389,7 @@ error:
 int
 get_unix_name_len(const struct sockaddr_un *sun, socklen_t sun_len)
 {
-    return (sun_len >= offsetof(struct sockaddr_un, sun_path) &&
+    return (sun_len > offsetof(struct sockaddr_un, sun_path) &&
             sun->sun_path[0] != 0
             ? sun_len - offsetof(struct sockaddr_un, sun_path)
             : 0);