mirror of
https://github.com/LadybirdBrowser/ladybird.git
synced 2025-06-04 09:22:53 +00:00
LibCore: Prefer strlcpy over strncpy, fix overflow
A malicious caller can create a SocketAddress for a local unix socket with an over-long name that does not fit into struct sock_addr_un. - Socket::connet: This caused the 'sun_path' field to overflow, probably overwriting the return pointer of the call frame, and thus crashing the process (in the best case). - SocketAddress::to_sockaddr_un: This triggered a RELEASE_ASSERT, and thus crashing the process. Both have been fixed to return a nice error code instead of crashing.
This commit is contained in:
Ben Wiederhake
Andreas Kling
parent
d419a780ae
commit
e682967d7e
Notes:
sideshowbarker
2024-07-19 03:14:19 +09:00
Author: https://github.com/BenWiederhake
Commit: e682967d7e
Pull-request: https://github.com/SerenityOS/serenity/pull/3275
Reviewed-by: https://github.com/awesomekling
4 changed files with 25 additions and 5 deletions
|
|
@ -121,7 +121,12 @@ bool LocalServer::listen(const String& address)
|
|||
#endif
|
||||
|
||||
auto socket_address = SocketAddress::local(address);
|
||||
auto un = socket_address.to_sockaddr_un();
|
||||
auto un_optional = socket_address.to_sockaddr_un();
|
||||
if (!un_optional.has_value()) {
|
||||
perror("bind");
|
||||
return false;
|
||||
}
|
||||
auto un = un_optional.value();
|
||||
rc = ::bind(m_fd, (const sockaddr*)&un, sizeof(un));
|
||||
if (rc < 0) {
|
||||
perror("bind");
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue