From aea8f8175ad84911db743dab9b85563fd380ff9b Mon Sep 17 00:00:00 2001
From: Xiang Xiao <xiaoxiang@xiaomi.com>
Date: Sun, 18 Dec 2022 14:55:44 +0800
Subject: [PATCH] net/local: Return -EINVAL if the address length passed to
 local_bind is too small

Signed-off-by: Xiang Xiao <xiaoxiang@xiaomi.com>
---
 net/local/local_bind.c      | 37 +++++++++++++++----------------------
 net/local/local_recvutils.c |  2 +-
 net/local/local_sockif.c    |  3 +--
 3 files changed, 17 insertions(+), 25 deletions(-)

diff --git a/net/local/local_bind.c b/net/local/local_bind.c
index 2f1f27f525..e192f0615e 100644
--- a/net/local/local_bind.c
+++ b/net/local/local_bind.c
@@ -52,11 +52,14 @@ int psock_local_bind(FAR struct socket *psock,
   FAR struct local_conn_s *conn;
   FAR const struct sockaddr_un *unaddr =
     (FAR const struct sockaddr_un *)addr;
-  int namelen;
 
   DEBUGASSERT(psock != NULL && psock->s_conn != NULL &&
-              unaddr != NULL && unaddr->sun_family == AF_LOCAL &&
-              addrlen >= sizeof(sa_family_t));
+              unaddr != NULL && unaddr->sun_family == AF_LOCAL);
+
+  if (addrlen <= sizeof(sa_family_t) + 1)
+    {
+      return -EINVAL;
+    }
 
   conn = (FAR struct local_conn_s *)psock->s_conn;
 
@@ -68,33 +71,23 @@ int psock_local_bind(FAR struct socket *psock,
    * of the address description.
    */
 
-  if (addrlen == sizeof(sa_family_t))
+  if (unaddr->sun_path[0] == '\0')
     {
-      /* No sun_path... This is an un-named Unix domain socket */
+      /* Zero-length sun_path... This is an abstract Unix domain socket */
 
-      conn->lc_type = LOCAL_TYPE_UNNAMED;
+      conn->lc_type    = LOCAL_TYPE_ABSTRACT;
+      conn->lc_path[0] = '\0';
     }
   else
     {
-      namelen = strnlen(unaddr->sun_path, UNIX_PATH_MAX - 1);
-      if (namelen <= 0)
-        {
-          /* Zero-length sun_path... This is an abstract Unix domain socket */
+      /* This is an normal, pathname Unix domain socket */
 
-          conn->lc_type    = LOCAL_TYPE_ABSTRACT;
-          conn->lc_path[0] = '\0';
-        }
-      else
-        {
-          /* This is an normal, pathname Unix domain socket */
+      conn->lc_type = LOCAL_TYPE_PATHNAME;
 
-          conn->lc_type = LOCAL_TYPE_PATHNAME;
+      /* Copy the path into the connection structure */
 
-          /* Copy the path into the connection structure */
-
-          strlcpy(conn->lc_path, unaddr->sun_path, sizeof(conn->lc_path));
-          conn->lc_instance_id = -1;
-        }
+      strlcpy(conn->lc_path, unaddr->sun_path, sizeof(conn->lc_path));
+      conn->lc_instance_id = -1;
     }
 
   conn->lc_state = LOCAL_STATE_BOUND;
diff --git a/net/local/local_recvutils.c b/net/local/local_recvutils.c
index 30380e893e..d3f8ae2b47 100644
--- a/net/local/local_recvutils.c
+++ b/net/local/local_recvutils.c
@@ -175,7 +175,7 @@ int local_getaddr(FAR struct local_conn_s *conn, FAR struct sockaddr *addr,
   int totlen;
   int pathlen;
 
-  DEBUGASSERT(conn && addr && addrlen && *addrlen >= sizeof(sa_family_t));
+  DEBUGASSERT(conn && addr && addrlen);
 
   /* Get the length of the path (minus the NUL terminator) and the length
    * of the whole Unix domain address.
diff --git a/net/local/local_sockif.c b/net/local/local_sockif.c
index 4aaf6c25fd..f4e9cac752 100644
--- a/net/local/local_sockif.c
+++ b/net/local/local_sockif.c
@@ -354,8 +354,7 @@ static int local_getsockname(FAR struct socket *psock,
   FAR struct local_conn_s *conn;
 
   DEBUGASSERT(psock != NULL && psock->s_conn != NULL &&
-              unaddr != NULL && addrlen != NULL &&
-              *addrlen >= sizeof(sa_family_t));
+              unaddr != NULL && addrlen != NULL);
 
   if (*addrlen < sizeof(sa_family_t))
     {