Fix domain socket handling

- Check status of unlink and bind system calls.
- Don't allow extra domain sockets when running from launchd/systemd.
- Validate length of domain socket path (< sizeof(sun_path))

Fixes CVE-2024-35235, written by Mike Sweet

diff --git a/cups/http-addr.c b/cups/http-addr.c
index 698b15be51863ef58363d123145073d0dcfe3e5e..8f5f758855267fc6a5b291f759262f7085a30dac 100644 (file)
--- a/cups/http-addr.c
+++ b/cups/http-addr.c
@@ -226,18 +226,29 @@ httpAddrListen(http_addr_t *addr, // I - Address to bind to
     mode_t     mask;                   // Umask setting
 
     // Remove any existing domain socket file...
-    unlink(addr->un.sun_path);
+    if ((status = unlink(addr->un.sun_path)) < 0)
+    {
+      DEBUG_printf("1httpAddrListen: Unable to unlink \"%s\": %s", addr->un.sun_path, strerror(errno));
 
-    // Save the current umask and set it to 0 so that all users can access
-    // the domain socket...
-    mask = umask(0);
+      if (errno == ENOENT)
+       status = 0;
+    }
 
-    // Bind the domain socket...
-    status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr));
+    if (!status)
+    {
+      // Save the current umask and set it to 0 so that all users can access
+      // the domain socket...
+      mask = umask(0);
 
-    // Restore the umask and fix permissions...
-    umask(mask);
-    chmod(addr->un.sun_path, 0140777);
+      // Bind the domain socket...
+      if ((status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr))) < 0)
+      {
+       DEBUG_printf("1httpAddrListen: Unable to bind domain socket \"%s\": %s", addr->un.sun_path, strerror(errno));
+      }
+
+      // Restore the umask...
+      umask(mask);
+    }
   }
   else
 #endif // AF_LOCAL

diff --git a/scheduler/conf.c b/scheduler/conf.c
index 95abf82925547837ac242366d44869dcba87d9df..d5e0792f2c6a7fb81fa796b7f8c6b71b669836c6 100644 (file)
--- a/scheduler/conf.c
+++ b/scheduler/conf.c
@@ -3152,6 +3152,26 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */
       cupsd_listener_t *lis;           /* New listeners array */
 
 
+     /*
+      * If we are launched on-demand, do not use domain sockets from the config
+      * file.  Also check that the domain socket path is not too long...
+      */
+
+#ifdef HAVE_ONDEMAND
+      if (*value == '/' && OnDemand)
+      {
+        if (strcmp(value, CUPS_DEFAULT_DOMAINSOCKET))
+          cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - only using domain socket from launchd/systemd.", line, value, linenum);
+        continue;
+      }
+#endif // HAVE_ONDEMAND
+
+      if (*value == '/' && strlen(value) > (sizeof(addr->addr.un.sun_path) - 1))
+      {
+        cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - too long.", line, value, linenum);
+        continue;
+      }
+
      /*
       * Get the address list...
       */