taddr2uaddr would return trailing garbage for AF_LOCAL addresses taddr2uaddr assumed that the sun_path field of an AF_LOCAL address was always NULL terminated, but that is not necessarily the case, especially if the buffer was allocated using the correct SUN_LEN(). Signed-off-by: Olaf Kirch --- src/rpc_generic.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) Index: libtirpc-0.2.4-rc2/src/rpc_generic.c =================================================================== --- libtirpc-0.2.4-rc2.orig/src/rpc_generic.c +++ libtirpc-0.2.4-rc2/src/rpc_generic.c @@ -608,6 +608,7 @@ __rpc_taddr2uaddr_af(int af, const struc struct sockaddr_in6 *sin6; char namebuf6[INET6_ADDRSTRLEN]; #endif + int path_len; u_int16_t port; if (nbuf->len <= 0) @@ -638,13 +639,12 @@ __rpc_taddr2uaddr_af(int af, const struc #endif case AF_LOCAL: sun = nbuf->buf; - /* if (asprintf(&ret, "%.*s", (int)(sun->sun_len - - offsetof(struct sockaddr_un, sun_path)), - sun->sun_path) < 0)*/ - if (asprintf(&ret, "%.*s", (int)(sizeof(*sun) - - offsetof(struct sockaddr_un, sun_path)), - sun->sun_path) < 0) + path_len = nbuf->len - offsetof(struct sockaddr_un, sun_path); + if (path_len < 0) + return NULL; + + if (asprintf(&ret, "%.*s", path_len, sun->sun_path) < 0) return (NULL); break; default: