From d94f897b6021721e9b2ac7e06d6a670dd574a2f9 Mon Sep 17 00:00:00 2001 From: fengbojiang Date: Mon, 8 Jun 2026 16:42:45 +0800 Subject: [PATCH] fix(syscall): add addrlen bounds check in ff_hook_bind Reject bind() calls with addrlen larger than sizeof(struct sockaddr_storage) to prevent out-of-bounds reads when copying the address into shared memory via rte_memcpy. Defensive hardening (low-risk; addrlen comes from the local process, not a remote attacker). Cherry-picked from #1067; the accompanying test file in that PR was intentionally omitted because it does not actually exercise ff_hook_bind. --- adapter/syscall/ff_hook_syscall.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/adapter/syscall/ff_hook_syscall.c b/adapter/syscall/ff_hook_syscall.c index 9503fc577..984fd45dc 100644 --- a/adapter/syscall/ff_hook_syscall.c +++ b/adapter/syscall/ff_hook_syscall.c @@ -437,6 +437,11 @@ ff_hook_bind(int fd, const struct sockaddr *addr, return -1; } + if (addrlen > sizeof(struct sockaddr_storage)) { + errno = EINVAL; + return -1; + } + CHECK_FD_OWNERSHIP(bind, (fd, addr, addrlen)); DEFINE_REQ_ARGS(bind);