From: Eric Van Hensbergen <ericvh@gmail.com>

Found the problem.  I am not sure why, but unix_mkname in net/unix/af_unix.c
writes a zero byte outside the sockaddr_un parameter.  There is even a comment
that it might seem like a bug, but it is not -- I didn't understand the
explanation -- it looks like a bug to me :)

The patch that I am attaching sets addr_len parameter of ops->connect to
sizeof(struct sockaddr_un) - 1 and thus ensures that unix_mkname won't write
outside the struct.  The patch also checks if the length of the unix socket
name specified in mount doesn't exceed UNIX_PATH_MAX.

Signed-off-by: Latchesar Ionkov <lucho@ionkov.net>
Signed-off-by: Eric Van Hensbergen <ericvh@gmail.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
---

 fs/9p/trans_sock.c |   24 ++++++++++++++++--------
 1 files changed, 16 insertions(+), 8 deletions(-)

diff -puN fs/9p/trans_sock.c~v9fs-transport-modules-fix-a-problem-with-named-pipe-transport fs/9p/trans_sock.c
--- devel/fs/9p/trans_sock.c~v9fs-transport-modules-fix-a-problem-with-named-pipe-transport	2005-08-29 22:23:32.000000000 -0700
+++ devel-akpm/fs/9p/trans_sock.c	2005-08-29 22:23:32.000000000 -0700
@@ -202,14 +202,23 @@ static int
 v9fs_unix_init(struct v9fs_session_info *v9ses, const char *dev_name,
 	       char *data)
 {
-	struct socket *csocket = NULL;
+	int rc;
+	struct socket *csocket;
 	struct sockaddr_un sun_server;
-	struct v9fs_transport *trans = v9ses->transport;
-	int rc = 0;
+	struct v9fs_transport *trans;
+	struct v9fs_trans_sock *ts;
 
-	struct v9fs_trans_sock *ts =
-	    kmalloc(sizeof(struct v9fs_trans_sock), GFP_KERNEL);
+	rc = 0;
+	csocket = NULL;
+	trans = v9ses->transport;
+
+	if (strlen(dev_name) > UNIX_PATH_MAX) {
+		eprintk(KERN_ERR, "v9fs_trans_unix: address too long: %s\n",
+			dev_name);
+		return -ENOMEM;
+	}
 
+	ts = kmalloc(sizeof(struct v9fs_trans_sock), GFP_KERNEL);
 	if (!ts)
 		return -ENOMEM;
 
@@ -222,9 +231,8 @@ v9fs_unix_init(struct v9fs_session_info 
 	sun_server.sun_family = PF_UNIX;
 	strcpy(sun_server.sun_path, dev_name);
 	sock_create_kern(PF_UNIX, SOCK_STREAM, 0, &csocket);
-	rc = csocket->ops->connect(csocket,
-				   (struct sockaddr *)&sun_server,
-				   sizeof(struct sockaddr_un), 0);
+	rc = csocket->ops->connect(csocket, (struct sockaddr *)&sun_server,
+		sizeof(struct sockaddr_un) - 1, 0);	/* -1 *is* important */
 	if (rc < 0) {
 		eprintk(KERN_ERR,
 			"v9fs_trans_unix: problem connecting socket: %s: %d\n",
_