# Extended 3.23 — SocketPlugin: stat() on non-NUL-terminated image buffer Bug ref : pharo.md §3.23 Severity : HIGH (OOB read of the heap on every UNIX-socket name lookup) File : extracted/plugins/SocketPlugin/src/common/SocketPluginImpl.c Lines (HEAD) : 1898-1928 (sqGetAddressInfo-like helper, AF_UNIX path) ## Problem ```c if (servSize && (family == SQ_SOCKET_FAMILY_LOCAL) && ...) { struct stat st; if ((0 == stat(servName, &st)) && (st.st_mode & S_IFSOCK)) ``` `servName` is the raw image byte pointer (the function already copies into `serv` on line 1903-1905, but here it passes the unbounded `servName` directly to `stat`). `stat` reads bytes until it finds a NUL — beyond the end of the image byte array if no NUL is present. A few lines down (1922-1923) the code also `memcpy`s `servName` into a NUL-terminated buffer; that step is correct. The `stat` call above should use the same NUL-terminated `serv` variable. ## Fix Use the already-NUL-terminated `serv` buffer for the `stat` call, which was populated for exactly this purpose at line 1903-1905. ```diff --- a/plugins/SocketPlugin/src/common/SocketPluginImpl.c +++ b/plugins/SocketPlugin/src/common/SocketPluginImpl.c @@ -1909,7 +1909,7 @@ if (servSize && (family == SQ_SOCKET_FAMILY_LOCAL) && (servSize < sizeof(((struct sockaddr_un *)0)->sun_path)) && !(flags & SQ_SOCKET_NUMERIC)) { struct stat st; - if ((0 == stat(servName, &st)) && (st.st_mode & S_IFSOCK)) + if ((0 == stat(serv, &st)) && (st.st_mode & S_IFSOCK)) { struct sockaddr_un *saun= calloc(1, sizeof(struct sockaddr_un)); localInfo= (struct addrinfo *)calloc(1, sizeof(struct addrinfo)); ``` ## Test plan - Pass a `servName` byte array with no terminating NUL. Before: ASAN reports OOB read in `stat`. After: stat uses the NUL-terminated `serv` copy and reports cleanly. - Normal UNIX-socket path resolution: unchanged behaviour. ## Risk notes - `serv` and `servName` carry the same bytes per the memcpy at 1903-1905; using `serv` for the stat call is a strict equivalent on legitimate inputs. - `calloc` failure for `saun`/`localInfo` is a pre-existing unchecked-alloc that should be addressed separately.