From: Eric Van Hensbergen Found the problem. I am not sure why, but unix_mkname in net/unix/af_unix.c writes a zero byte outside the sockaddr_un parameter. There is even a comment that it might seem like a bug, but it is not -- I didn't understand the explanation -- it looks like a bug to me :) The patch that I am attaching sets addr_len parameter of ops->connect to sizeof(struct sockaddr_un) - 1 and thus ensures that unix_mkname won't write outside the struct. The patch also checks if the length of the unix socket name specified in mount doesn't exceed UNIX_PATH_MAX. Signed-off-by: Latchesar Ionkov Signed-off-by: Eric Van Hensbergen Signed-off-by: Andrew Morton --- fs/9p/trans_sock.c | 24 ++++++++++++++++-------- 1 files changed, 16 insertions(+), 8 deletions(-) diff -puN fs/9p/trans_sock.c~v9fs-transport-modules-fix-a-problem-with-named-pipe-transport fs/9p/trans_sock.c --- devel/fs/9p/trans_sock.c~v9fs-transport-modules-fix-a-problem-with-named-pipe-transport 2005-08-29 22:23:32.000000000 -0700 +++ devel-akpm/fs/9p/trans_sock.c 2005-08-29 22:23:32.000000000 -0700 @@ -202,14 +202,23 @@ static int v9fs_unix_init(struct v9fs_session_info *v9ses, const char *dev_name, char *data) { - struct socket *csocket = NULL; + int rc; + struct socket *csocket; struct sockaddr_un sun_server; - struct v9fs_transport *trans = v9ses->transport; - int rc = 0; + struct v9fs_transport *trans; + struct v9fs_trans_sock *ts; - struct v9fs_trans_sock *ts = - kmalloc(sizeof(struct v9fs_trans_sock), GFP_KERNEL); + rc = 0; + csocket = NULL; + trans = v9ses->transport; + + if (strlen(dev_name) > UNIX_PATH_MAX) { + eprintk(KERN_ERR, "v9fs_trans_unix: address too long: %s\n", + dev_name); + return -ENOMEM; + } + ts = kmalloc(sizeof(struct v9fs_trans_sock), GFP_KERNEL); if (!ts) return -ENOMEM; @@ -222,9 +231,8 @@ v9fs_unix_init(struct v9fs_session_info sun_server.sun_family = PF_UNIX; strcpy(sun_server.sun_path, dev_name); sock_create_kern(PF_UNIX, SOCK_STREAM, 0, &csocket); - rc = csocket->ops->connect(csocket, - (struct sockaddr *)&sun_server, - sizeof(struct sockaddr_un), 0); + rc = csocket->ops->connect(csocket, (struct sockaddr *)&sun_server, + sizeof(struct sockaddr_un) - 1, 0); /* -1 *is* important */ if (rc < 0) { eprintk(KERN_ERR, "v9fs_trans_unix: problem connecting socket: %s: %d\n", _