ladybird/Libraries/LibCore/Socket.cpp
Ben Wiederhake e682967d7e LibCore: Prefer strlcpy over strncpy, fix overflow
A malicious caller can create a SocketAddress for a local unix socket with an
over-long name that does not fit into struct sock_addr_un.
- Socket::connet: This caused the 'sun_path' field to
  overflow, probably overwriting the return pointer of the call frame, and thus
  crashing the process (in the best case).
- SocketAddress::to_sockaddr_un: This triggered a RELEASE_ASSERT, and thus
  crashing the process.

Both have been fixed to return a nice error code instead of crashing.
2020-08-24 00:45:03 +02:00

220 lines
6.4 KiB
C++

/*
* Copyright (c) 2018-2020, Andreas Kling <kling@serenityos.org>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include <AK/ByteBuffer.h>
#include <LibCore/Notifier.h>
#include <LibCore/Socket.h>
#include <arpa/inet.h>
#include <errno.h>
#include <fcntl.h>
#include <netdb.h>
#include <netinet/in.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <unistd.h>
//#define CSOCKET_DEBUG
namespace Core {
Socket::Socket(Type type, Object* parent)
: IODevice(parent)
, m_type(type)
{
}
Socket::~Socket()
{
close();
}
bool Socket::connect(const String& hostname, int port)
{
auto* hostent = gethostbyname(hostname.characters());
if (!hostent) {
dbg() << "Socket::connect: Unable to resolve '" << hostname << "'";
return false;
}
IPv4Address host_address((const u8*)hostent->h_addr_list[0]);
#ifdef CSOCKET_DEBUG
dbg() << "Socket::connect: Resolved '" << hostname << "' to " << host_address;
#endif
return connect(host_address, port);
}
void Socket::set_blocking(bool blocking)
{
int flags = fcntl(fd(), F_GETFL, 0);
ASSERT(flags >= 0);
if (blocking)
flags = fcntl(fd(), F_SETFL, flags & ~O_NONBLOCK);
else
flags = fcntl(fd(), F_SETFL, flags | O_NONBLOCK);
ASSERT(flags == 0);
}
bool Socket::connect(const SocketAddress& address, int port)
{
ASSERT(!is_connected());
ASSERT(address.type() == SocketAddress::Type::IPv4);
#ifdef CSOCKET_DEBUG
dbg() << *this << " connecting to " << address << "...";
#endif
ASSERT(port > 0 && port <= 65535);
struct sockaddr_in addr;
memset(&addr, 0, sizeof(addr));
auto ipv4_address = address.ipv4_address();
memcpy(&addr.sin_addr.s_addr, &ipv4_address, sizeof(IPv4Address));
addr.sin_family = AF_INET;
addr.sin_port = htons(port);
m_destination_address = address;
m_destination_port = port;
return common_connect((struct sockaddr*)&addr, sizeof(addr));
}
bool Socket::connect(const SocketAddress& address)
{
ASSERT(!is_connected());
ASSERT(address.type() == SocketAddress::Type::Local);
#ifdef CSOCKET_DEBUG
dbg() << *this << " connecting to " << address << "...";
#endif
sockaddr_un saddr;
saddr.sun_family = AF_LOCAL;
auto dest_address = address.to_string();
if (dest_address.length() >= sizeof(saddr.sun_path)) {
fprintf(stderr, "Core::Socket: Failed to connect() to %s: Path is too long!\n", dest_address.characters());
errno = EINVAL;
return false;
}
strcpy(saddr.sun_path, address.to_string().characters());
m_destination_address = address;
return common_connect((const sockaddr*)&saddr, sizeof(saddr));
}
bool Socket::common_connect(const struct sockaddr* addr, socklen_t addrlen)
{
auto connected = [this] {
#ifdef CSOCKET_DEBUG
dbg() << *this << " connected!";
#endif
if (!m_connected) {
m_connected = true;
ensure_read_notifier();
if (m_notifier) {
m_notifier->remove_from_parent();
m_notifier = nullptr;
}
if (on_connected)
on_connected();
}
};
int rc = ::connect(fd(), addr, addrlen);
if (rc < 0) {
if (errno == EINPROGRESS) {
#ifdef CSOCKET_DEBUG
dbg() << *this << " connection in progress (EINPROGRESS)";
#endif
m_notifier = Notifier::construct(fd(), Notifier::Event::Write, this);
m_notifier->on_ready_to_write = move(connected);
return true;
}
int saved_errno = errno;
fprintf(stderr, "Core::Socket: Failed to connect() to %s: %s\n", destination_address().to_string().characters(), strerror(saved_errno));
errno = saved_errno;
return false;
}
#ifdef CSOCKET_DEBUG
dbg() << *this << " connected ok!";
#endif
connected();
return true;
}
ByteBuffer Socket::receive(int max_size)
{
auto buffer = read(max_size);
if (eof()) {
dbg() << *this << " connection appears to have closed in receive().";
m_connected = false;
}
return buffer;
}
bool Socket::send(ReadonlyBytes data)
{
ssize_t nsent = ::send(fd(), data.data(), data.size(), 0);
if (nsent < 0) {
set_error(errno);
return false;
}
ASSERT(static_cast<size_t>(nsent) == data.size());
return true;
}
void Socket::did_update_fd(int fd)
{
if (fd < 0) {
if (m_read_notifier) {
m_read_notifier->remove_from_parent();
m_read_notifier = nullptr;
}
if (m_notifier) {
m_notifier->remove_from_parent();
m_notifier = nullptr;
}
return;
}
if (m_connected) {
ensure_read_notifier();
} else {
// I don't think it would be right if we updated the fd while not connected *but* while having a notifier..
ASSERT(!m_read_notifier);
}
}
void Socket::ensure_read_notifier()
{
ASSERT(m_connected);
m_read_notifier = Notifier::construct(fd(), Notifier::Event::Read, this);
m_read_notifier->on_ready_to_read = [this] {
if (!can_read())
return;
if (on_ready_to_read)
on_ready_to_read();
};
}
}