connection: Reject strings containing NUL bytes

libwayland cannot construct these messages as it uses strlen() to
determine string lengths.  libwayland is also guaranteed to misinterpret
these messages, since message handlers only get a pointer and no length.
Therefore, reject strings containing NUL bytes.

Also remove a redundant check from the unmarshalling code.  The
zero-length case has already been checked for.

Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>

2 files changed, 11 insertions, 2 deletions

diff --git a/doc/publican/sources/Protocol.xml b/doc/publican/sources/Protocol.xml
index 38243fa..692f17e 100644
--- a/doc/publican/sources/Protocol.xml
+++ b/doc/publican/sources/Protocol.xml
@@ -152,7 +152,8 @@
 	      Starts with an unsigned 32-bit length (including null terminator),
 	      followed by the UTF-8 encoded string contents, including
 	      terminating null byte, then padding to a 32-bit boundary. A null
-	      value is represented with a length of 0.
+	      value is represented with a length of 0. Interior null bytes are
+	      not permitted.
 	    </para>
 	  </listitem>
 	</varlistentry>
diff --git a/src/connection.c b/src/connection.c
index e1b751a..6b28d21 100644
--- a/src/connection.c
+++ b/src/connection.c
@@ -975,7 +975,7 @@ wl_connection_demarshal(struct wl_connection *connection,
 
 			s = (char *) p;
 
-			if (length > 0 && s[length - 1] != '\0') {
+			if (s[length - 1] != '\0') {
 				wl_log("string not nul-terminated, "
 				       "message %s(%s)\n",
 				       message->name, message->signature);
@@ -983,6 +983,14 @@ wl_connection_demarshal(struct wl_connection *connection,
 				goto err;
 			}
 
+			if (strlen(s) != length - 1) {
+				wl_log("string has embedded nul at offset %zu, "
+				       "message %s(%s)\n", strlen(s),
+				       message->name, message->signature);
+				errno = EINVAL;
+				goto err;
+			}
+
 			closure->args[i].s = s;
 			p = next;
 			break;