Path size for UNIX domain sockets is fixed at 108, however, the
method ``.unix_connect()`` of the socket client class accepts
STL strings of any length unchecked. Thus it’s trivial to provoke
a segfault:
libt2n::socket_client_connection sc(std::string(42 * 42, '!'));
and ... bang!
A check of the client-supplied path value against the buffer size
of ``sockaddr_un.sun_path[]`` is added to prevent the issue.
void socket_client_connection::unix_connect(int max_retries)
{
struct sockaddr_un unix_addr;
+ size_t path_size = path.size();
unix_addr.sun_family = AF_UNIX;
- strcpy (unix_addr.sun_path, path.c_str());
+
+ if (path_size >= sizeof(unix_addr.sun_path))
+ {
+ throw t2n_connect_error((std::string)"path '"
+ + path
+ + "' exceeds permissible UNIX socket path length");
+ }
+
+ memcpy(unix_addr.sun_path, path.c_str(), path_size);
+ unix_addr.sun_path[path_size] = '\0';
sock = socket(PF_UNIX, SOCK_STREAM, 0);
if (!sock)