mirror of
https://github.com/LadybirdBrowser/ladybird.git
synced 2025-04-26 14:28:49 +00:00
LibCore: Prefer strlcpy over strncpy, fix overflow
A malicious caller can create a SocketAddress for a local unix socket with an over-long name that does not fit into struct sock_addr_un. - Socket::connet: This caused the 'sun_path' field to overflow, probably overwriting the return pointer of the call frame, and thus crashing the process (in the best case). - SocketAddress::to_sockaddr_un: This triggered a RELEASE_ASSERT, and thus crashing the process. Both have been fixed to return a nice error code instead of crashing.
This commit is contained in:
Ben Wiederhake
Andreas Kling
parent
d419a780ae
commit
e682967d7e
Notes:
sideshowbarker
2024-07-19 03:14:19 +09:00
Author: https://github.com/BenWiederhake
Commit: e682967d7e
Pull-request: https://github.com/SerenityOS/serenity/pull/3275
Reviewed-by: https://github.com/awesomekling
4 changed files with 25 additions and 5 deletions
|
|
@ -111,6 +111,12 @@ bool Socket::connect(const SocketAddress& address)
|
|||
|
||||
sockaddr_un saddr;
|
||||
saddr.sun_family = AF_LOCAL;
|
||||
auto dest_address = address.to_string();
|
||||
if (dest_address.length() >= sizeof(saddr.sun_path)) {
|
||||
fprintf(stderr, "Core::Socket: Failed to connect() to %s: Path is too long!\n", dest_address.characters());
|
||||
errno = EINVAL;
|
||||
return false;
|
||||
}
|
||||
strcpy(saddr.sun_path, address.to_string().characters());
|
||||
|
||||
m_destination_address = address;
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue