mirrors/sway
1
0
Fork 0
mirror of https://github.com/swaywm/sway.git synced 2026-04-22 06:46:27 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

common: handle invalid IPC messages

Browse source 
The size of IPC data is stored in an unsigned 32 bit data type within
the IPC message header. In order to terminate the received data with a
nul byte, one additional byte is allocated.

It is not checked if the transmitted size is 2^32 - 1. Adding one more
byte would overflow and lead to 0 byte allocation.

On 64 bit systems, the recv call with 2^32 - 1 does not fail instantly
but reads data from the server into unallocated memory.

Prevent override of unallocated memory by aborting communication.

Proof of Concept Python server (use 64 bit address sanitized client):
```
import os
import socket

os.remove('/tmp/sway-poc.socket')
server = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
server.bind('/tmp/sway-poc.socket')
server.listen(1)
print('waiting for client')
(client, address) = server.accept()
client.send(b'\x69\x33\x2D\x69\x70\x63\xFF\xFF\xFF\xFF\x00\x00\x00\x00\xFF\xFF\xFF\xFF\xFF')
input('sent reply, press enter')
client.close()
```
This commit is contained in:
Tobias Stoeckmann 2021-05-07 20:12:57 +02:00
parent 7c74f01f0a
commit edcdb5552d
5 changed files with 24 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

4
include/ipc-client.h
View file

@ -12,7 +12,7 @@
* encoded payload string.
*/
struct ipc_response {
uint32_t size;
size_t size;
uint32_t type;
char *payload;
};
@ -29,7 +29,7 @@ int ipc_open_socket(const char *socket_path);
* Issues a single IPC command and returns the buffer. len will be updated with
* the length of the buffer returned from sway.
*/
char *ipc_single_command(int socketfd, uint32_t type, const char *payload, uint32_t *len);
char *ipc_single_command(int socketfd, uint32_t type, const char *payload, size_t *len);
/**
* Receives a single IPC response and returns an ipc_response.
*/