socket_client.cpp: prevent buffer overflow in creation of unix socket

Path size for UNIX domain sockets is fixed at 108, however, the
method ``.unix_connect()`` of the socket client class accepts
STL strings of any length unchecked. Thus it’s trivial to provoke
a segfault:

    libt2n::socket_client_connection sc(std::string(42 * 42, '!'));

and ... bang!

A check of the client-supplied path value against the buffer size
of ``sockaddr_un.sun_path[]`` is added to prevent the issue.

diff --git a/src/socket_client.cpp b/src/socket_client.cpp
index 9f0064b..fecad13 100644 (file)
--- a/src/socket_client.cpp
+++ b/src/socket_client.cpp
@@ -159,9 +159,19 @@ void socket_client_connection::tcp_connect(int max_retries)
 void socket_client_connection::unix_connect(int max_retries)
 {
     struct sockaddr_un unix_addr;
+    size_t path_size = path.size();
 
     unix_addr.sun_family = AF_UNIX;
-    strcpy (unix_addr.sun_path, path.c_str());
+
+    if (path_size >= sizeof(unix_addr.sun_path))
+    {
+        throw t2n_connect_error((std::string)"path '"
+                                + path
+                                + "' exceeds permissible UNIX socket path length");
+    }
+
+    memcpy(unix_addr.sun_path, path.c_str(), path_size);
+    unix_addr.sun_path[path_size] = '\0';
 
     sock = socket(PF_UNIX, SOCK_STREAM, 0);
     if (!sock)