Make sure we don't corrupt the heap when serializing a unix domain socketaddr.2.10.10

	* socket-io.c (create_object_from_sockaddr): The resulting array size must
	be two bytes larger than the sockaddr one since we always serialize the family
	kind at the beginning.

	This fixes a crash on MD-linux-amd64-mono-sgen-3.0 running unit tests.

1 files changed, 5 insertions, 14 deletions

diff --git a/mono/metadata/socket-io.c b/mono/metadata/socket-io.c
index 09d0a3e27eb..200f79d379f 100644
--- a/mono/metadata/socket-io.c
+++ b/mono/metadata/socket-io.c
@@ -922,20 +922,11 @@ static MonoObject *create_object_from_sockaddr(struct sockaddr *saddr,
 		g_assert (domain->sockaddr_data_field);
 	}
 
-	/* Make sure there is space for the family and size bytes */
-#ifdef HAVE_SYS_UN_H
-	if (saddr->sa_family == AF_UNIX) {
-		/* sa_len includes the entire sockaddr size, so we don't need the
-		 * N bytes (sizeof (unsigned short)) of the family. */
-		data=mono_array_new_cached(domain, mono_get_byte_class (), sa_size);
-	} else
-#endif
-	{
-		/* May be the +2 here is too conservative, as sa_len returns
-		 * the length of the entire sockaddr_in/in6, including
-		 * sizeof (unsigned short) of the family */
-		data=mono_array_new_cached(domain, mono_get_byte_class (), sa_size+2);
-	}
+	/* May be the +2 here is too conservative, as sa_len returns
+	 * the length of the entire sockaddr_in/in6, including
+	 * sizeof (unsigned short) of the family */
+	/* We can't really avoid the +2 as all code below depends on this size - INCLUDING unix domain sockets.*/
+	data=mono_array_new_cached(domain, mono_get_byte_class (), sa_size+2);
 
 	/* The data buffer is laid out as follows:
 	 * bytes 0 and 1 are the address family