Ensure consistent treatment of "QUBESRPC" followed by non-space

parse_qubes_rpc_command() would not treat this as a service call, whereas exec_qubes_rpc_if_requested() would. Therefore, the command would be executed as a service call, but the usual check for socket-based services would be skipped. Furthermore, exec_qubes_rpc_if_requested() would silently ignore everything after "QUBESRPC" until the first space or the end of the string. To avoid this inconsistent behavior, ensure that both execute_qubes_rpc_if_requested() and parse_qubes_rpc_command() detect this situation and fail the service call. There are no tests for QUBESRPC followed by a non-space so the current behavior is almost certainly not intentional. There are no tests for the new behavior, either, but an error condition is very unlikely to be accidentally depended on.
QubesOS · Apr 28, 2024 · 71c1ae3 · 71c1ae3
1 parent b115494
commit 71c1ae3
Showing 1 changed file with 14 additions and 4 deletions.
diff --git a/libqrexec/exec.c b/libqrexec/exec.c
@@ -54,6 +54,11 @@ void exec_qubes_rpc_if_requested(const char *prog, char *const envp[]) {
         char *argv[16]; // right now 6 are used, but allow future extensions
         size_t i = 0;
 
+        if (prog[RPC_REQUEST_COMMAND_LEN] != ' ') {
+            LOG(ERROR, "\"" RPC_REQUEST_COMMAND "\" not followed by space");
+            _exit(126);
+        }
+
         prog_copy = strdup(prog);
         if (!prog_copy) {
             PERROR("strdup");
@@ -404,13 +409,18 @@ struct qrexec_parsed_command *parse_qubes_rpc_command(
     } else
         cmd->nogui = false;
 
-    /* If the command starts with "QUBESRPC ", parse service descriptor */
-    if (strncmp(cmd->command, RPC_REQUEST_COMMAND " ",
-                RPC_REQUEST_COMMAND_LEN + 1) == 0) {
+    /* If the command starts with "QUBESRPC", parse service descriptor */
+    if (strncmp(cmd->command, RPC_REQUEST_COMMAND,
+                RPC_REQUEST_COMMAND_LEN) == 0) {
         const char *start, *end;
 
-        /* Parse service descriptor ("qubes.Service+arg") */
+        /* Check for space after "QUBESRPC" */
+        if (cmd->command[RPC_REQUEST_COMMAND_LEN] != ' ') {
+            LOG(ERROR, "\"" RPC_REQUEST_COMMAND "\" not followed by space");
+            goto err;
+        }
 
+        /* Parse service descriptor ("qubes.Service+arg") */
         start = cmd->command + RPC_REQUEST_COMMAND_LEN + 1;
         end = strchr(start, ' ');
         if (!end) {