RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-05-16 19:05:08 +00:00
Code Issues Activity Actions

LibCore: Prefer strlcpy over strncpy, fix overflow

Browse source 
A malicious caller can create a SocketAddress for a local unix socket with an
over-long name that does not fit into struct sock_addr_un.
- Socket::connet: This caused the 'sun_path' field to
  overflow, probably overwriting the return pointer of the call frame, and thus
  crashing the process (in the best case).
- SocketAddress::to_sockaddr_un: This triggered a RELEASE_ASSERT, and thus
  crashing the process.

Both have been fixed to return a nice error code instead of crashing.
This commit is contained in:
Ben Wiederhake 2020-08-23 13:47:52 +02:00 committed by Andreas Kling
parent d419a780ae
commit e682967d7e
4 changed files with 25 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

7
Libraries/LibCore/LocalServer.cpp
View file

@ -121,7 +121,12 @@ bool LocalServer::listen(const String& address)
#endif
auto socket_address = SocketAddress::local(address);
auto un = socket_address.to_sockaddr_un();
auto un_optional = socket_address.to_sockaddr_un();
if (!un_optional.has_value()) {
perror("bind");
return false;
}
auto un = un_optional.value();
rc = ::bind(m_fd, (const sockaddr*)&un, sizeof(un));
if (rc < 0) {
perror("bind");