wayland-client: reject socket paths longer than 108 bytes

Attempting to write anything longer into the embedded char
array would create a non-null-terminated string, and all
later reads would run off the end into invalid memory.

This is a hard limitation of AF_LOCAL/AF_UNIX sockets.

1 files changed, 13 insertions, 1 deletions

diff --git a/src/wayland-client.c b/src/wayland-client.c
index bfd45f1..881cda6 100644
--- a/src/wayland-client.c
+++ b/src/wayland-client.c
@@ -305,7 +305,7 @@ connect_to_socket(struct wl_display *display, const char *name)
 	struct sockaddr_un addr;
 	socklen_t size;
 	const char *runtime_dir;
-	size_t name_size;
+	int name_size;
 
 	runtime_dir = getenv("XDG_RUNTIME_DIR");
 	if (!runtime_dir) {
@@ -333,6 +333,18 @@ connect_to_socket(struct wl_display *display, const char *name)
 		snprintf(addr.sun_path, sizeof addr.sun_path,
 			 "%s/%s", runtime_dir, name) + 1;
 
+	assert(name_size > 0);
+	if (name_size > (int)sizeof addr.sun_path) {
+		fprintf(stderr,
+		       "error: socket path \"%s/%s\" plus null terminator"
+		       " exceeds 108 bytes\n", runtime_dir, name);
+		close(display->fd);
+		/* to prevent programs reporting
+		 * "failed to add socket: Success" */
+		errno = ENAMETOOLONG;
+		return -1;
+	};
+
 	size = offsetof (struct sockaddr_un, sun_path) + name_size;
 
 	if (connect(display->fd, (struct sockaddr *) &addr, size) < 0) {