From: Zofia Grzelewska <z.abramowska@samsung.com>
Date: Wed, 21 Feb 2018 12:03:50 +0000 (+0100)
Subject: Check if path isn't too long before copying to sock path
X-Git-Tag: submit/tizen_4.0/20180228.125915~2
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=a616882a90ed5879cfec9ad4ded31c1c867e69b8;p=platform%2Fcore%2Fsecurity%2Faskuser.git

Check if path isn't too long before copying to sock path

This fixes possible buffer overflow, when path is copied to sun_path
without size check.

Change-Id: Ib63d885d3eea3bc8441354d8143acba47276eb1b
---

diff --git a/src/ipc/sock.cpp b/src/ipc/sock.cpp
index 34022e0..99c21b4 100644
--- a/src/ipc/sock.cpp
+++ b/src/ipc/sock.cpp
@@ -1,5 +1,5 @@
 /*
- *  Copyright (c) 2017 Samsung Electronics Co.
+ *  Copyright (c) 2017-2018 Samsung Electronics Co.
  *
  *  Licensed under the Apache License, Version 2.0 (the "License");
  *  you may not use this file except in compliance with the License.
@@ -169,6 +169,10 @@ int Sock::connect(const std::string &path) {
             ALOGE("Too long address (path) for UNIX socket");
             return -1;
         }
+        if (path.size() >= sizeof(remote.sun_path)) {
+            ALOGE("Path " << path << " is too long");
+            return -1;
+        }
         memcpy(remote.sun_path, path.c_str(), path.size()+1);
     }
 
@@ -222,6 +226,10 @@ int Sock::send(const RawBuffer &buffer) {
             struct sockaddr_un addr;
             memset(&addr, 0, sizeof(addr));
             addr.sun_family = AF_UNIX;
+            if (m_path.size() >= sizeof(addr.sun_path)) {
+                ALOGE("Path " << m_path << " is too long");
+                return -1;
+            }
             memcpy(addr.sun_path, m_path.data(), m_path.size());
             return static_cast<int>(
                 TEMP_FAILURE_RETRY(::sendto(m_fd, buffer.data(), buffer.size(), flags,