mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-05-02 06:46:36 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

security: fix stack overflow via strndupa on long device names

Browse source 
A client-supplied device name ending in ".monitor" was stack-allocated
via strndupa without any size limit. Since protocol messages can be up
to 16MB, a malicious client could send a very long device name and
overflow the stack, crashing the daemon.

Cap the strndupa length at MAX_NAME (1024) in both find_device and
do_set_default.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Wim Taymans 2026-04-30 17:18:06 +02:00
parent 6ea673b68a
commit 99a89f8bd4
1 changed files with 10 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

13
src/modules/module-protocol-pulse/pulse-server.c
View file

@ -2572,7 +2572,10 @@ static struct pw_manager_object *find_device(struct client *client,
if (name != NULL) {
if (spa_strendswith(name, ".monitor")) {
if (!sink) {
name = strndupa(name, strlen(name)-8);
size_t len = strlen(name) - 8;
if (len > MAX_NAME)
return NULL;
name = strndupa(name, len);
allow_monitor = true;
}
}
@ -4818,8 +4821,12 @@ static int do_set_default(struct client *client, uint32_t command, uint32_t tag,
return -ENOENT;
if (o->props && (str = pw_properties_get(o->props, PW_KEY_NODE_NAME)) != NULL)
name = str;
else if (spa_strendswith(name, ".monitor"))
name = strndupa(name, strlen(name)-8);
else if (spa_strendswith(name, ".monitor")) {
size_t len = strlen(name) - 8;
if (len > MAX_NAME)
return -ENAMETOOLONG;
name = strndupa(name, len);
}
struct spa_json_builder b;
char *val;