diff options
| author | Ben Wiederhake <BenWiederhake.GitHub@gmx.de> | 2020-08-23 13:47:52 +0200 |
|---|---|---|
| committer | Andreas Kling <kling@serenityos.org> | 2020-08-24 00:45:03 +0200 |
| commit | e682967d7eb4bff978b011b03a6bf4b939745d1c (patch) | |
| tree | c145d8258ad83979a0385a455fad69521f57402a /Libraries/LibCore/Socket.cpp | |
| parent | d419a780aed4a8111ab30531797d0e1afe6f02c4 (diff) | |
| download | serenity-e682967d7eb4bff978b011b03a6bf4b939745d1c.zip | |
LibCore: Prefer strlcpy over strncpy, fix overflow
A malicious caller can create a SocketAddress for a local unix socket with an
over-long name that does not fit into struct sock_addr_un.
- Socket::connet: This caused the 'sun_path' field to
overflow, probably overwriting the return pointer of the call frame, and thus
crashing the process (in the best case).
- SocketAddress::to_sockaddr_un: This triggered a RELEASE_ASSERT, and thus
crashing the process.
Both have been fixed to return a nice error code instead of crashing.
Diffstat (limited to 'Libraries/LibCore/Socket.cpp')
| -rw-r--r-- | Libraries/LibCore/Socket.cpp | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/Libraries/LibCore/Socket.cpp b/Libraries/LibCore/Socket.cpp index a12c57993a..6685839a27 100644 --- a/Libraries/LibCore/Socket.cpp +++ b/Libraries/LibCore/Socket.cpp @@ -111,6 +111,12 @@ bool Socket::connect(const SocketAddress& address) sockaddr_un saddr; saddr.sun_family = AF_LOCAL; + auto dest_address = address.to_string(); + if (dest_address.length() >= sizeof(saddr.sun_path)) { + fprintf(stderr, "Core::Socket: Failed to connect() to %s: Path is too long!\n", dest_address.characters()); + errno = EINVAL; + return false; + } strcpy(saddr.sun_path, address.to_string().characters()); m_destination_address = address; |