From e762ce2e419591953d0051b330f6886cf0a5da9b Mon Sep 17 00:00:00 2001 From: Vincent Bernat Date: Sun, 21 Mar 2021 11:39:33 +0100 Subject: [PATCH] daemon: enforce limits when receiving arbitrary-length data in privsep --- src/daemon/priv-linux.c | 3 +++ src/daemon/priv.c | 16 +++++++++++----- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/src/daemon/priv-linux.c b/src/daemon/priv-linux.c index 315faf3e..37865235 100644 --- a/src/daemon/priv-linux.c +++ b/src/daemon/priv-linux.c @@ -21,6 +21,7 @@ #include #include #include +#include #include #include #include @@ -81,6 +82,8 @@ asroot_open() regex_t preg; must_read(PRIV_PRIVILEGED, &len, sizeof(len)); + if (len < 0 || len > PATH_MAX) + fatalx("privsep", "too large value requested"); if ((file = (char *)malloc(len + 1)) == NULL) fatal("privsep", NULL); must_read(PRIV_PRIVILEGED, file, len); diff --git a/src/daemon/priv.c b/src/daemon/priv.c index 1c362121..08b58619 100644 --- a/src/daemon/priv.c +++ b/src/daemon/priv.c @@ -106,15 +106,17 @@ char * priv_gethostname() { static char *buf = NULL; - int rc; + int len; enum priv_cmd cmd = PRIV_GET_HOSTNAME; must_write(PRIV_UNPRIVILEGED, &cmd, sizeof(enum priv_cmd)); priv_wait(); - must_read(PRIV_UNPRIVILEGED, &rc, sizeof(int)); - if ((buf = (char*)realloc(buf, rc+1)) == NULL) + must_read(PRIV_UNPRIVILEGED, &len, sizeof(int)); + if (len < 0 || len > 255) + fatalx("privsep", "too large value requested"); + if ((buf = (char*)realloc(buf, len+1)) == NULL) fatal("privsep", NULL); - must_read(PRIV_UNPRIVILEGED, buf, rc); - buf[rc] = '\0'; + must_read(PRIV_UNPRIVILEGED, buf, len); + buf[len] = '\0'; return buf; } @@ -205,6 +207,8 @@ asroot_ctl_cleanup() int rc = 0; must_read(PRIV_PRIVILEGED, &len, sizeof(int)); + if (len < 0 || len > PATH_MAX) + fatalx("privsep", "too large value requested"); if ((ctlname = (char*)malloc(len+1)) == NULL) fatal("privsep", NULL); @@ -310,6 +314,8 @@ asroot_iface_description() must_read(PRIV_PRIVILEGED, &name, sizeof(name)); name[sizeof(name) - 1] = '\0'; must_read(PRIV_PRIVILEGED, &len, sizeof(int)); + if (len < 0 || len > PATH_MAX) + fatalx("privsep", "too large value requested"); if ((description = (char*)malloc(len+1)) == NULL) fatal("privsep", NULL); -- 2.39.5