From 7d9c3eea7fd46abff305827c9e3f1fc7e5ab1e5d Mon Sep 17 00:00:00 2001 From: Philipp Gesang Date: Tue, 10 Mar 2015 15:23:23 +0100 Subject: [PATCH] socket_client.cpp: prevent buffer overflow in creation of unix socket MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Path size for UNIX domain sockets is fixed at 108, however, the method ``.unix_connect()`` of the socket client class accepts STL strings of any length unchecked. Thus it’s trivial to provoke a segfault: libt2n::socket_client_connection sc(std::string(42 * 42, '!')); and ... bang! A check of the client-supplied path value against the buffer size of ``sockaddr_un.sun_path[]`` is added to prevent the issue. --- src/socket_client.cpp | 12 +++++++++++- 1 files changed, 11 insertions(+), 1 deletions(-) diff --git a/src/socket_client.cpp b/src/socket_client.cpp index 9f0064b..fecad13 100644 --- a/src/socket_client.cpp +++ b/src/socket_client.cpp @@ -159,9 +159,19 @@ void socket_client_connection::tcp_connect(int max_retries) void socket_client_connection::unix_connect(int max_retries) { struct sockaddr_un unix_addr; + size_t path_size = path.size(); unix_addr.sun_family = AF_UNIX; - strcpy (unix_addr.sun_path, path.c_str()); + + if (path_size >= sizeof(unix_addr.sun_path)) + { + throw t2n_connect_error((std::string)"path '" + + path + + "' exceeds permissible UNIX socket path length"); + } + + memcpy(unix_addr.sun_path, path.c_str(), path_size); + unix_addr.sun_path[path_size] = '\0'; sock = socket(PF_UNIX, SOCK_STREAM, 0); if (!sock) -- 1.7.1