mirrors/sway
1
0
Fork 0
mirror of https://github.com/swaywm/sway.git synced 2026-04-22 06:46:27 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
sway/include/ipc-client.h
Tobias Stoeckmann edcdb5552d common: handle invalid IPC messages 
The size of IPC data is stored in an unsigned 32 bit data type within
the IPC message header. In order to terminate the received data with a
nul byte, one additional byte is allocated.

It is not checked if the transmitted size is 2^32 - 1. Adding one more
byte would overflow and lead to 0 byte allocation.

On 64 bit systems, the recv call with 2^32 - 1 does not fail instantly
but reads data from the server into unallocated memory.

Prevent override of unallocated memory by aborting communication.

Proof of Concept Python server (use 64 bit address sanitized client):
```
import os
import socket

os.remove('/tmp/sway-poc.socket')
server = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
server.bind('/tmp/sway-poc.socket')
server.listen(1)
print('waiting for client')
(client, address) = server.accept()
client.send(b'\x69\x33\x2D\x69\x70\x63\xFF\xFF\xFF\xFF\x00\x00\x00\x00\xFF\xFF\xFF\xFF\xFF')
input('sent reply, press enter')
client.close()
```
2021-05-07 21:10:03 +02:00

46 lines
1 KiB
C
Raw Blame History

#ifndef _SWAY_IPC_CLIENT_H
#define _SWAY_IPC_CLIENT_H
#include <stdbool.h>
#include <stdint.h>
#include <sys/time.h>
#include "ipc.h"
/**
* IPC response including type of IPC response, size of payload and the json
* encoded payload string.
*/
struct ipc_response {
size_t size;
uint32_t type;
char *payload;
};
/**
* Gets the path to the IPC socket from sway.
*/
char *get_socketpath(void);
/**
* Opens the sway socket.
*/
int ipc_open_socket(const char *socket_path);
/**
* Issues a single IPC command and returns the buffer. len will be updated with
* the length of the buffer returned from sway.
*/
char *ipc_single_command(int socketfd, uint32_t type, const char *payload, size_t *len);
/**
* Receives a single IPC response and returns an ipc_response.
*/
struct ipc_response *ipc_recv_response(int socketfd);
/**
* Free ipc_response struct
*/
void free_ipc_response(struct ipc_response *response);
/**
* Sets the receive timeout for the IPC socket
*/
bool ipc_set_recv_timeout(int socketfd, struct timeval tv);
#endif
Reference in a new issue View git blame Copy permalink