daemon: fix off-by-one in MSG_TRIGGER_SERVICE3 validation

The handle_message_from_agent() assumes there is always a space for terminating NUL character in the payload. Reject messages that has 0 space for the payload, as that would make the function write NUL byte before the malloc()-ed buffer, and then proceed to handle it as NUL-terminated string (which isn't necessarily the case now). In practice, glibc's malloc() always allocate at least 32 bytes buffer, even if 0 was requested, and the later call to sanitize_name() will hit some NUL byte in those 32 bytes before corrupting anything (see more detailed analysis in QSB-089), but some more serious impact cannot be fully excluded. Reported-by: Demi Marie Obenour <[email protected]> (cherry picked from commit 322bcf6)
QubesOS · May 11, 2023 · 7d9fddf · 7d9fddf
1 parent 129159e
commit 7d9fddf
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/daemon/qrexec-daemon.c b/daemon/qrexec-daemon.c
@@ -923,7 +923,7 @@ static void sanitize_message_from_agent(struct msg_header *untrusted_header)
                     "although it uses protocol %d", protocol_version);
                 exit(1);
             }
-            if (untrusted_header->len < sizeof(struct trigger_service_params3)) {
+            if (untrusted_header->len <= sizeof(struct trigger_service_params3)) {
                 LOG(ERROR, "agent sent invalid MSG_TRIGGER_SERVICE3 packet");
                 exit(1);
             }