From e682967d7eb4bff978b011b03a6bf4b939745d1c Mon Sep 17 00:00:00 2001 From: Ben Wiederhake Date: Sun, 23 Aug 2020 13:47:52 +0200 Subject: LibCore: Prefer strlcpy over strncpy, fix overflow A malicious caller can create a SocketAddress for a local unix socket with an over-long name that does not fit into struct sock_addr_un. - Socket::connet: This caused the 'sun_path' field to overflow, probably overwriting the return pointer of the call frame, and thus crashing the process (in the best case). - SocketAddress::to_sockaddr_un: This triggered a RELEASE_ASSERT, and thus crashing the process. Both have been fixed to return a nice error code instead of crashing. --- Libraries/LibCore/Socket.cpp | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'Libraries/LibCore/Socket.cpp') diff --git a/Libraries/LibCore/Socket.cpp b/Libraries/LibCore/Socket.cpp index a12c57993a..6685839a27 100644 --- a/Libraries/LibCore/Socket.cpp +++ b/Libraries/LibCore/Socket.cpp @@ -111,6 +111,12 @@ bool Socket::connect(const SocketAddress& address) sockaddr_un saddr; saddr.sun_family = AF_LOCAL; + auto dest_address = address.to_string(); + if (dest_address.length() >= sizeof(saddr.sun_path)) { + fprintf(stderr, "Core::Socket: Failed to connect() to %s: Path is too long!\n", dest_address.characters()); + errno = EINVAL; + return false; + } strcpy(saddr.sun_path, address.to_string().characters()); m_destination_address = address; -- cgit v1.2.3