mirror of
https://github.com/swaywm/sway.git
synced 2026-04-22 06:46:27 -04:00
common: handle invalid IPC messages
The size of IPC data is stored in an unsigned 32 bit data type within
the IPC message header. In order to terminate the received data with a
nul byte, one additional byte is allocated.
It is not checked if the transmitted size is 2^32 - 1. Adding one more
byte would overflow and lead to 0 byte allocation.
On 64 bit systems, the recv call with 2^32 - 1 does not fail instantly
but reads data from the server into unallocated memory.
Prevent override of unallocated memory by aborting communication.
Proof of Concept Python server (use 64 bit address sanitized client):
```
import os
import socket
os.remove('/tmp/sway-poc.socket')
server = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
server.bind('/tmp/sway-poc.socket')
server.listen(1)
print('waiting for client')
(client, address) = server.accept()
client.send(b'\x69\x33\x2D\x69\x70\x63\xFF\xFF\xFF\xFF\x00\x00\x00\x00\xFF\xFF\xFF\xFF\xFF')
input('sent reply, press enter')
client.close()
```
This commit is contained in:
Tobias Stoeckmann
parent
7c74f01f0a
commit
edcdb5552d
5 changed files with 24 additions and 12 deletions
|
|
@ -476,7 +476,7 @@ int main(int argc, char **argv) {
|
|||
int socketfd = ipc_open_socket(socket_path);
|
||||
struct timeval timeout = {.tv_sec = 3, .tv_usec = 0};
|
||||
ipc_set_recv_timeout(socketfd, timeout);
|
||||
uint32_t len = strlen(command);
|
||||
size_t len = strlen(command);
|
||||
char *resp = ipc_single_command(socketfd, type, command, &len);
|
||||
|
||||
// pretty print the json
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue