connection: Reject strings containing NUL bytes

libwayland cannot construct these messages as it uses strlen() to determine string lengths. libwayland is also guaranteed to misinterpret these messages, since message handlers only get a pointer and no length. Therefore, reject strings containing NUL bytes. Also remove a redundant check from the unmarshalling code. The zero-length case has already been checked for. Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
2025-10-29 05:40:16 -04:00 · 2024-07-24 21:20:12 -04:00 · 2024-07-24 21:20:12 -04:00 · 6c4a695045
commit 6c4a695045
parent 0239b082b9
2 changed files with 11 additions and 2 deletions
--- a/doc/publican/sources/Protocol.xml
+++ b/doc/publican/sources/Protocol.xml
@ -152,7 +152,8 @@
 	      Starts with an unsigned 32-bit length (including null terminator),
 	      followed by the UTF-8 encoded string contents, including
 	      terminating null byte, then padding to a 32-bit boundary. A null
-	      value is represented with a length of 0.
+	      value is represented with a length of 0. Interior null bytes are
+	      not permitted.
 	    </para>
 	  </listitem>
 	</varlistentry>
--- a/src/connection.c
+++ b/src/connection.c
@ -975,7 +975,7 @@ wl_connection_demarshal(struct wl_connection *connection,

 			s = (char *) p;

-			if (length > 0 && s[length - 1] != '\0') {
+			if (s[length - 1] != '\0') {
 				wl_log("string not nul-terminated, "
 				       "message %s(%s)\n",
 				       message->name, message->signature);
@ -983,6 +983,14 @@ wl_connection_demarshal(struct wl_connection *connection,
 				goto err;
 			}

+			if (strlen(s) != length - 1) {
+				wl_log("string has embedded nul at offset %zu, "
+				       "message %s(%s)\n", strlen(s),
+				       message->name, message->signature);
+				errno = EINVAL;
+				goto err;
+			}
+
 			closure->args[i].s = s;
 			p = next;
 			break;