From 7d9fddfbd1af0e7f25ff745ecd4b21ffd30b173c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Thu, 11 May 2023 15:07:35 +0200 Subject: [PATCH] daemon: fix off-by-one in MSG_TRIGGER_SERVICE3 validation The handle_message_from_agent() assumes there is always a space for terminating NUL character in the payload. Reject messages that has 0 space for the payload, as that would make the function write NUL byte before the malloc()-ed buffer, and then proceed to handle it as NUL-terminated string (which isn't necessarily the case now). In practice, glibc's malloc() always allocate at least 32 bytes buffer, even if 0 was requested, and the later call to sanitize_name() will hit some NUL byte in those 32 bytes before corrupting anything (see more detailed analysis in QSB-089), but some more serious impact cannot be fully excluded. Reported-by: Demi Marie Obenour (cherry picked from commit 322bcf6edf0483a2a8253dbb9cd8d04cd29000b4) --- daemon/qrexec-daemon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daemon/qrexec-daemon.c b/daemon/qrexec-daemon.c index 502caf75..2508ed5a 100644 --- a/daemon/qrexec-daemon.c +++ b/daemon/qrexec-daemon.c @@ -923,7 +923,7 @@ static void sanitize_message_from_agent(struct msg_header *untrusted_header) "although it uses protocol %d", protocol_version); exit(1); } - if (untrusted_header->len < sizeof(struct trigger_service_params3)) { + if (untrusted_header->len <= sizeof(struct trigger_service_params3)) { LOG(ERROR, "agent sent invalid MSG_TRIGGER_SERVICE3 packet"); exit(1); }