wayland-client: reject socket paths longer than 108 bytes

Attempting to write anything longer into the embedded char
array would create a non-null-terminated string, and all
later reads would run off the end into invalid memory.

This is a hard limitation of AF_LOCAL/AF_UNIX sockets.

diff --git a/src/wayland-client.c b/src/wayland-client.c
index bfd45f1..881cda6 100644 (file)
--- a/src/wayland-client.c
+++ b/src/wayland-client.c
@@ -305,7 +305,7 @@ connect_to_socket(struct wl_display *display, const char *name)
        struct sockaddr_un addr;
        socklen_t size;
        const char *runtime_dir;
-       size_t name_size;
+       int name_size;
 
        runtime_dir = getenv("XDG_RUNTIME_DIR");
        if (!runtime_dir) {
@@ -333,6 +333,18 @@ connect_to_socket(struct wl_display *display, const char *name)
                snprintf(addr.sun_path, sizeof addr.sun_path,
                         "%s/%s", runtime_dir, name) + 1;
 
+       assert(name_size > 0);
+       if (name_size > (int)sizeof addr.sun_path) {
+               fprintf(stderr,
+                      "error: socket path \"%s/%s\" plus null terminator"
+                      " exceeds 108 bytes\n", runtime_dir, name);
+               close(display->fd);
+               /* to prevent programs reporting
+                * "failed to add socket: Success" */
+               errno = ENAMETOOLONG;
+               return -1;
+       };
+
        size = offsetof (struct sockaddr_un, sun_path) + name_size;
 
        if (connect(display->fd, (struct sockaddr *) &addr, size) < 0) {