mirrors/wayland
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/wayland/wayland.git synced 2025-11-03 09:01:42 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

wayland-server: reject socket paths longer than 108 bytes

Browse source 
Attempting to write anything longer into the embedded char
array would create a non-null-terminated string, and all
later reads would run off the end into invalid memory.

This is a hard limitation of AF_LOCAL/AF_UNIX sockets.
This commit is contained in:
Dylan Noblesmith 2012-06-15 21:32:19 +00:00
parent 4522467268
commit 00c25a0565
1 changed files with 15 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

16
src/wayland-server.c
View file

@ -1153,7 +1153,8 @@ WL_EXPORT int
wl_display_add_socket(struct wl_display *display, const char *name) wl_display_add_socket(struct wl_display *display, const char *name)
{ {
struct wl_socket *s; struct wl_socket *s;
socklen_t size, name_size; socklen_t size;
int name_size;
const char *runtime_dir; const char *runtime_dir;
runtime_dir = getenv("XDG_RUNTIME_DIR"); runtime_dir = getenv("XDG_RUNTIME_DIR");
@ -1185,6 +1186,19 @@ wl_display_add_socket(struct wl_display *display, const char *name)
s->addr.sun_family = AF_LOCAL; s->addr.sun_family = AF_LOCAL;
name_size = snprintf(s->addr.sun_path, sizeof s->addr.sun_path, name_size = snprintf(s->addr.sun_path, sizeof s->addr.sun_path,
"%s/%s", runtime_dir, name) + 1; "%s/%s", runtime_dir, name) + 1;
assert(name_size > 0);
if (name_size > (int)sizeof s->addr.sun_path) {
wl_log("error: socket path \"%s/%s\" plus null terminator"
" exceeds 108 bytes\n", runtime_dir, name);
close(s->fd);
free(s);
/* to prevent programs reporting
* "failed to add socket: Success" */
errno = ENAMETOOLONG;
return -1;
};
wl_log("using socket %s\n", s->addr.sun_path); wl_log("using socket %s\n", s->addr.sun_path);
s->fd_lock = get_socket_lock(s); s->fd_lock = get_socket_lock(s);