From 9e6b678cf709986e3ee83d1354da577f7f436c47 Mon Sep 17 00:00:00 2001 From: Tim Allen Date: Thu, 7 Apr 2022 21:23:10 +1000 Subject: [PATCH 1/2] Do all session name validation in session_path(). --- src/remote.cc | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/src/remote.cc b/src/remote.cc index e6992c20..7a8f0d02 100644 --- a/src/remote.cc +++ b/src/remote.cc @@ -605,8 +605,8 @@ const String& session_directory() String session_path(StringView session) { - if (contains(session, '/')) - throw runtime_error{"session names cannot have slashes"}; + if (not all_of(session, is_identifier)) + throw runtime_error{format("invalid session name: '{}'", session)}; return format("{}/{}", session_directory(), session); } @@ -848,9 +848,6 @@ private: Server::Server(String session_name, bool is_daemon) : m_session{std::move(session_name)}, m_is_daemon{is_daemon} { - if (not all_of(m_session, is_identifier)) - throw runtime_error{format("invalid session name: '{}'", m_session)}; - int listen_sock = socket(AF_UNIX, SOCK_STREAM, 0); fcntl(listen_sock, F_SETFD, FD_CLOEXEC); sockaddr_un addr = session_addr(m_session); @@ -885,9 +882,6 @@ Server::Server(String session_name, bool is_daemon) bool Server::rename_session(StringView name) { - if (not all_of(name, is_identifier)) - throw runtime_error{format("invalid session name: '{}'", name)}; - String old_socket_file = session_path(m_session); String new_socket_file = session_path(name); From 9cf8a3ccd6531c2cf2695b4598c6ceff75ed2dc9 Mon Sep 17 00:00:00 2001 From: Tim Allen Date: Thu, 7 Apr 2022 21:36:15 +1000 Subject: [PATCH 2/2] Check for buffer overflow when constructing the socket path. --- src/remote.cc | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/remote.cc b/src/remote.cc index 7a8f0d02..63a7fecf 100644 --- a/src/remote.cc +++ b/src/remote.cc @@ -614,7 +614,10 @@ static sockaddr_un session_addr(StringView session) { sockaddr_un addr; addr.sun_family = AF_UNIX; - strcpy(addr.sun_path, session_path(session).c_str()); + String path = session_path(session); + if (path.length() + 1 > sizeof addr.sun_path) + throw runtime_error{format("socket path too long: '{}'", path)}; + strcpy(addr.sun_path, path.c_str()); return addr; }