From b55a39ac3348641c80a6571e9eaf189c2d730626 Mon Sep 17 00:00:00 2001 From: Moonchild Date: Thu, 23 Apr 2026 19:14:31 +0200 Subject: [PATCH] [network] Force NUL termination in ToStringBuffer AF_LOCAL. Also reject AF_LOCAL in IPC reader (just in case). --- netwerk/dns/DNS.cpp | 8 +++++++- netwerk/ipc/NeckoMessageUtils.h | 6 +----- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/netwerk/dns/DNS.cpp b/netwerk/dns/DNS.cpp index 643296af00..170a01b625 100644 --- a/netwerk/dns/DNS.cpp +++ b/netwerk/dns/DNS.cpp @@ -120,7 +120,12 @@ bool NetAddrToString(const NetAddr *addr, char *buf, uint32_t bufSize) } #if defined(XP_UNIX) else if (addr->raw.family == AF_LOCAL) { - if (bufSize < sizeof(addr->local.path)) { + // local.path is NOT guaranteed to be NUL-terminated: PR_Accept casts + // PRNetAddr* to struct sockaddr* and Linux sun_path is 108 bytes vs + // our 104, so a peer bound to a >=104-char path fills the whole field + // with non-NUL data. We must write our own terminator, so require + // strictly more than sizeof(path) bytes. + if (bufSize <= sizeof(addr->local.path)) { // Many callers don't bother checking our return value, so // null-terminate just in case. if (bufSize > 0) { @@ -135,6 +140,7 @@ bool NetAddrToString(const NetAddr *addr, char *buf, uint32_t bufSize) // using the destination's size may cause us to read off the end of the // source. memcpy(buf, addr->local.path, sizeof(addr->local.path)); + buf[sizeof(addr->local.path)] = '\0'; return true; } #endif diff --git a/netwerk/ipc/NeckoMessageUtils.h b/netwerk/ipc/NeckoMessageUtils.h index 1633b82b64..01c549b68a 100644 --- a/netwerk/ipc/NeckoMessageUtils.h +++ b/netwerk/ipc/NeckoMessageUtils.h @@ -117,13 +117,9 @@ struct ParamTraits ReadParam(aMsg, aIter, &aResult->inet6.ip.u64[0]) && ReadParam(aMsg, aIter, &aResult->inet6.ip.u64[1]) && ReadParam(aMsg, aIter, &aResult->inet6.scope_id); -#if defined(XP_UNIX) - } else if (aResult->raw.family == AF_LOCAL) { - return aMsg->ReadBytesInto(aIter, &aResult->local.path, sizeof(aResult->local.path)); -#endif } - /* We've been tricked by some socket family we don't know about! */ + // We've been tricked by some socket family we don't know about! return false; } };