From: Zdenek Dohnal Date: Mon, 3 Jun 2024 16:53:58 +0000 (+0200) Subject: Fix domain socket handling X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a436956f374b0fd7f5da9df482e4f5840fa1c0d2;p=thirdparty%2Fcups.git Fix domain socket handling - Check status of unlink and bind system calls. - Don't allow extra domain sockets when running from launchd/systemd. - Validate length of domain socket path (< sizeof(sun_path)) Fixes CVE-2024-35235, written by Mike Sweet --- diff --git a/cups/http-addr.c b/cups/http-addr.c index 698b15be51..8f5f758855 100644 --- a/cups/http-addr.c +++ b/cups/http-addr.c @@ -226,18 +226,29 @@ httpAddrListen(http_addr_t *addr, // I - Address to bind to mode_t mask; // Umask setting // Remove any existing domain socket file... - unlink(addr->un.sun_path); + if ((status = unlink(addr->un.sun_path)) < 0) + { + DEBUG_printf("1httpAddrListen: Unable to unlink \"%s\": %s", addr->un.sun_path, strerror(errno)); - // Save the current umask and set it to 0 so that all users can access - // the domain socket... - mask = umask(0); + if (errno == ENOENT) + status = 0; + } - // Bind the domain socket... - status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr)); + if (!status) + { + // Save the current umask and set it to 0 so that all users can access + // the domain socket... + mask = umask(0); - // Restore the umask and fix permissions... - umask(mask); - chmod(addr->un.sun_path, 0140777); + // Bind the domain socket... + if ((status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr))) < 0) + { + DEBUG_printf("1httpAddrListen: Unable to bind domain socket \"%s\": %s", addr->un.sun_path, strerror(errno)); + } + + // Restore the umask... + umask(mask); + } } else #endif // AF_LOCAL diff --git a/scheduler/conf.c b/scheduler/conf.c index 95abf82925..d5e0792f2c 100644 --- a/scheduler/conf.c +++ b/scheduler/conf.c @@ -3152,6 +3152,26 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */ cupsd_listener_t *lis; /* New listeners array */ + /* + * If we are launched on-demand, do not use domain sockets from the config + * file. Also check that the domain socket path is not too long... + */ + +#ifdef HAVE_ONDEMAND + if (*value == '/' && OnDemand) + { + if (strcmp(value, CUPS_DEFAULT_DOMAINSOCKET)) + cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - only using domain socket from launchd/systemd.", line, value, linenum); + continue; + } +#endif // HAVE_ONDEMAND + + if (*value == '/' && strlen(value) > (sizeof(addr->addr.un.sun_path) - 1)) + { + cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - too long.", line, value, linenum); + continue; + } + /* * Get the address list... */