mirrors/sway
1
0
Fork 0
mirror of https://github.com/swaywm/sway.git synced 2026-04-22 06:46:27 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

common: handle invalid IPC messages

Browse source 
The size of IPC data is stored in an unsigned 32 bit data type within
the IPC message header. In order to terminate the received data with a
nul byte, one additional byte is allocated.

It is not checked if the transmitted size is 2^32 - 1. Adding one more
byte would overflow and lead to 0 byte allocation.

On 64 bit systems, the recv call with 2^32 - 1 does not fail instantly
but reads data from the server into unallocated memory.

Prevent override of unallocated memory by aborting communication.

Proof of Concept Python server (use 64 bit address sanitized client):
```
import os
import socket

os.remove('/tmp/sway-poc.socket')
server = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
server.bind('/tmp/sway-poc.socket')
server.listen(1)
print('waiting for client')
(client, address) = server.accept()
client.send(b'\x69\x33\x2D\x69\x70\x63\xFF\xFF\xFF\xFF\x00\x00\x00\x00\xFF\xFF\xFF\xFF\xFF')
input('sent reply, press enter')
client.close()
```
This commit is contained in:
Tobias Stoeckmann 2021-05-07 20:12:57 +02:00
parent 7c74f01f0a
commit edcdb5552d
5 changed files with 24 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

20
common/ipc-client.c
View file

@ -1,4 +1,5 @@
#define _POSIX_C_SOURCE 200809L
#include <limits.h>
#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
@ -94,9 +95,15 @@ struct ipc_response *ipc_recv_response(int socketfd) {
goto error_1;
}
memcpy(&response->size, data + sizeof(ipc_magic), sizeof(uint32_t));
uint32_t size;
memcpy(&size, data + sizeof(ipc_magic), sizeof(uint32_t));
response->size = size;
memcpy(&response->type, data + sizeof(ipc_magic) + sizeof(uint32_t), sizeof(uint32_t));
if (response->size >= SSIZE_MAX) {
sway_abort("Unable to receive overly long IPC response");
}
char *payload = malloc(response->size + 1);
if (!payload) {
goto error_2;
@ -126,11 +133,16 @@ void free_ipc_response(struct ipc_response *response) {
free(response);
}
char *ipc_single_command(int socketfd, uint32_t type, const char *payload, uint32_t *len) {
char *ipc_single_command(int socketfd, uint32_t type, const char *payload, size_t *len) {
char data[IPC_HEADER_SIZE];
if (*len > UINT32_MAX) {
sway_abort("Unable to send overly long IPC payload");
}
uint32_t size = *len;
memcpy(data, ipc_magic, sizeof(ipc_magic));
memcpy(data + sizeof(ipc_magic), len, sizeof(*len));
memcpy(data + sizeof(ipc_magic) + sizeof(*len), &type, sizeof(type));
memcpy(data + sizeof(ipc_magic), &size, sizeof(size));
memcpy(data + sizeof(ipc_magic) + sizeof(size), &type, sizeof(type));
if (write(socketfd, data, IPC_HEADER_SIZE) == -1) {
sway_abort("Unable to send IPC header");