[Fixes] Buffer overruns due to overlenghted environment variables

Roland Baer roland at verifysoft.de
Tue Aug 8 11:54:11 CEST 2006


Hello,

Coverity Prevent hinted me to the unchecked "strcpy (sa.sun_path, sockname)"
call in rxvtd.C:85. As we have to consistent with other uses of sockname,
decided to fix that in rxvtdaemon.C, please apply attached patch.

Symptom: sa.sun_path can hold on my Linux 108 null-terminated chars, size 
varies on other platforms. Try to set $RXVT_SOCKET or $HOME bigger => coredump

Roland

P.S: Kann ich hier auch auf Deutsch schreiben?
-------------- next part --------------
Index: rxvtdaemon.C
===================================================================
RCS file: /schmorpforge/rxvt-unicode/src/rxvtdaemon.C,v
retrieving revision 1.13
diff -u -w -r1.13 rxvtdaemon.C
--- rxvtdaemon.C	20 Feb 2006 22:42:00 -0000	1.13
+++ rxvtdaemon.C	8 Aug 2006 09:04:29 -0000
@@ -29,25 +29,33 @@
 #include <errno.h>
 #include <sys/types.h>
 #include <sys/utsname.h>
+#include <sys/un.h>
 #include <limits.h>
 
 #include "rxvtdaemon.h"
 
+#define SUN_PATH_SIZE (sizeof(((struct sockaddr_un *) 0)->sun_path))
+
 char *rxvt_connection::unix_sockname ()
 {
-  char name[PATH_MAX];
+  char name[SUN_PATH_SIZE];
   char *path = getenv ("RXVT_SOCKET");
 
+  if (path && strlen(path) >= SUN_PATH_SIZE)
+    {
+      path[SUN_PATH_SIZE - 1] = 0;
+    }
+
   if (!path)
     {
       struct utsname u;
       uname (&u);
 
       path = getenv ("HOME");
-      snprintf (name, PATH_MAX, "%s/.rxvt-unicode-%s",
+      snprintf (name, SUN_PATH_SIZE, "%s/.rxvt-unicode-%s",
                 path ? path : "/tmp",
                 u.nodename);
-
+      name[SUN_PATH_SIZE-1] = 0;
       path = name;
     }
 


More information about the rxvt-unicode mailing list