RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-05-28 19:15:09 +00:00
Code Issues Activity Actions

LibCore: Prefer strlcpy over strncpy, fix overflow

Browse source 
A malicious caller can create a SocketAddress for a local unix socket with an
over-long name that does not fit into struct sock_addr_un.
- Socket::connet: This caused the 'sun_path' field to
  overflow, probably overwriting the return pointer of the call frame, and thus
  crashing the process (in the best case).
- SocketAddress::to_sockaddr_un: This triggered a RELEASE_ASSERT, and thus
  crashing the process.

Both have been fixed to return a nice error code instead of crashing.
This commit is contained in:
Ben Wiederhake 2020-08-23 13:47:52 +02:00 committed by Andreas Kling
parent d419a780ae
commit e682967d7e
4 changed files with 25 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

8
Libraries/LibCore/SocketAddress.h
View file

@ -43,7 +43,7 @@ public:
Local
};
SocketAddress() {}
SocketAddress() { }
SocketAddress(const IPv4Address& address)
: m_type(Type::IPv4)
, m_ipv4_address(address)
@ -82,12 +82,14 @@ public:
}
}
sockaddr_un to_sockaddr_un() const
Optional<sockaddr_un> to_sockaddr_un() const
{
ASSERT(type() == Type::Local);
sockaddr_un address;
address.sun_family = AF_LOCAL;
RELEASE_ASSERT(m_local_address.length() < (int)sizeof(address.sun_path));
if (m_local_address.length() >= sizeof(address.sun_path)) {
return {};
}
strcpy(address.sun_path, m_local_address.characters());
return address;
}