From e762ce2e419591953d0051b330f6886cf0a5da9b Mon Sep 17 00:00:00 2001
From: Vincent Bernat <vincent@bernat.ch>
Date: Sun, 21 Mar 2021 11:39:33 +0100
Subject: [PATCH] daemon: enforce limits when receiving arbitrary-length data
 in privsep

---
 src/daemon/priv-linux.c |  3 +++
 src/daemon/priv.c       | 16 +++++++++++-----
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/src/daemon/priv-linux.c b/src/daemon/priv-linux.c
index 315faf3e..37865235 100644
--- a/src/daemon/priv-linux.c
+++ b/src/daemon/priv-linux.c
@@ -21,6 +21,7 @@
 #include <inttypes.h>
 #include <sys/types.h>
 #include <sys/stat.h>
+#include <limits.h>
 #include <fcntl.h>
 #include <errno.h>
 #include <regex.h>
@@ -81,6 +82,8 @@ asroot_open()
 	regex_t preg;
 
 	must_read(PRIV_PRIVILEGED, &len, sizeof(len));
+	if (len < 0 || len > PATH_MAX)
+		fatalx("privsep", "too large value requested");
 	if ((file = (char *)malloc(len + 1)) == NULL)
 		fatal("privsep", NULL);
 	must_read(PRIV_PRIVILEGED, file, len);
diff --git a/src/daemon/priv.c b/src/daemon/priv.c
index 1c362121..08b58619 100644
--- a/src/daemon/priv.c
+++ b/src/daemon/priv.c
@@ -106,15 +106,17 @@ char *
 priv_gethostname()
 {
 	static char *buf = NULL;
-	int rc;
+	int len;
 	enum priv_cmd cmd = PRIV_GET_HOSTNAME;
 	must_write(PRIV_UNPRIVILEGED, &cmd, sizeof(enum priv_cmd));
 	priv_wait();
-	must_read(PRIV_UNPRIVILEGED, &rc, sizeof(int));
-	if ((buf = (char*)realloc(buf, rc+1)) == NULL)
+	must_read(PRIV_UNPRIVILEGED, &len, sizeof(int));
+	if (len < 0 || len > 255)
+		fatalx("privsep", "too large value requested");
+	if ((buf = (char*)realloc(buf, len+1)) == NULL)
 		fatal("privsep", NULL);
-	must_read(PRIV_UNPRIVILEGED, buf, rc);
-	buf[rc] = '\0';
+	must_read(PRIV_UNPRIVILEGED, buf, len);
+	buf[len] = '\0';
 	return buf;
 }
 
@@ -205,6 +207,8 @@ asroot_ctl_cleanup()
 	int rc = 0;
 
 	must_read(PRIV_PRIVILEGED, &len, sizeof(int));
+	if (len < 0 || len > PATH_MAX)
+		fatalx("privsep", "too large value requested");
 	if ((ctlname = (char*)malloc(len+1)) == NULL)
 		fatal("privsep", NULL);
 
@@ -310,6 +314,8 @@ asroot_iface_description()
 	must_read(PRIV_PRIVILEGED, &name, sizeof(name));
 	name[sizeof(name) - 1] = '\0';
 	must_read(PRIV_PRIVILEGED, &len, sizeof(int));
+	if (len < 0 || len > PATH_MAX)
+		fatalx("privsep", "too large value requested");
 	if ((description = (char*)malloc(len+1)) == NULL)
 		fatal("privsep", NULL);
 
-- 
2.39.5