From 6c4a695045155583a99f3fbce7bb745f79c2e726 Mon Sep 17 00:00:00 2001
From: Demi Marie Obenour <demi@invisiblethingslab.com>
Date: Wed, 24 Jul 2024 21:20:12 -0400
Subject: connection: Reject strings containing NUL bytes

libwayland cannot construct these messages as it uses strlen() to
determine string lengths.  libwayland is also guaranteed to misinterpret
these messages, since message handlers only get a pointer and no length.
Therefore, reject strings containing NUL bytes.

Also remove a redundant check from the unmarshalling code.  The
zero-length case has already been checked for.

Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
---
 src/connection.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/connection.c b/src/connection.c
index e1b751a..6b28d21 100644
--- a/src/connection.c
+++ b/src/connection.c
@@ -975,7 +975,7 @@ wl_connection_demarshal(struct wl_connection *connection,
 
 			s = (char *) p;
 
-			if (length > 0 && s[length - 1] != '\0') {
+			if (s[length - 1] != '\0') {
 				wl_log("string not nul-terminated, "
 				       "message %s(%s)\n",
 				       message->name, message->signature);
@@ -983,6 +983,14 @@ wl_connection_demarshal(struct wl_connection *connection,
 				goto err;
 			}
 
+			if (strlen(s) != length - 1) {
+				wl_log("string has embedded nul at offset %zu, "
+				       "message %s(%s)\n", strlen(s),
+				       message->name, message->signature);
+				errno = EINVAL;
+				goto err;
+			}
+
 			closure->args[i].s = s;
 			p = next;
 			break;
-- 
cgit v1.2.3-70-g09d2