From: Cuong Manh Le <cuong.manhle.vn@gmail.com>
Date: Thu, 24 Oct 2019 05:17:30 +0000 (+0700)
Subject: syscall: make convertFromDirents11 checkptr safe
X-Git-Tag: go1.14beta1~601
X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=722b0e32babc95a4381b14e1e7640572a556fc24;p=gostls13.git

syscall: make convertFromDirents11 checkptr safe

Fixes #35092

Change-Id: I8f1ee2b79d42b2291548fd5645940a61f6d67582
Reviewed-on: https://go-review.googlesource.com/c/go/+/202878
Run-TryBot: Cuong Manh Le <cuong.manhle.vn@gmail.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Matthew Dempsky <mdempsky@google.com>
---

diff --git a/src/syscall/syscall_freebsd.go b/src/syscall/syscall_freebsd.go
index 3abc722c42..7c7b89aab9 100644
--- a/src/syscall/syscall_freebsd.go
+++ b/src/syscall/syscall_freebsd.go
@@ -381,8 +381,12 @@ func convertFromDirents11(buf []byte, old []byte) int {
 	dstPos := 0
 	srcPos := 0
 	for dstPos+fixedSize < len(buf) && srcPos+oldFixedSize < len(old) {
-		dstDirent := (*Dirent)(unsafe.Pointer(&buf[dstPos]))
-		srcDirent := (*dirent_freebsd11)(unsafe.Pointer(&old[srcPos]))
+		var dstDirent Dirent
+		var srcDirent dirent_freebsd11
+
+		// If multiple direntries are written, sometimes when we reach the final one,
+		// we may have cap of old less than size of dirent_freebsd11.
+		copy((*[unsafe.Sizeof(srcDirent)]byte)(unsafe.Pointer(&srcDirent))[:], old[srcPos:])
 
 		reclen := roundup(fixedSize+int(srcDirent.Namlen)+1, 8)
 		if dstPos+reclen > len(buf) {
@@ -398,6 +402,7 @@ func convertFromDirents11(buf []byte, old []byte) int {
 		dstDirent.Pad1 = 0
 
 		copy(dstDirent.Name[:], srcDirent.Name[:srcDirent.Namlen])
+		copy(buf[dstPos:], (*[unsafe.Sizeof(dstDirent)]byte)(unsafe.Pointer(&dstDirent))[:])
 		padding := buf[dstPos+fixedSize+int(dstDirent.Namlen) : dstPos+reclen]
 		for i := range padding {
 			padding[i] = 0