1
0
mirror of https://github.com/openbsd/src.git synced 2024-12-22 16:42:56 -08:00

cleanup privsep communications between child/parent with a lot more

paranoia.  noticed by aaron@, feedback from drahn@ cloder@ millert@
This commit is contained in:
avsm 2003-09-24 23:35:45 +00:00
parent 36003b4347
commit 878b8a60cc

View File

@ -1,4 +1,4 @@
/* $OpenBSD: privsep.c,v 1.5 2003/08/15 23:13:06 deraadt Exp $ */
/* $OpenBSD: privsep.c,v 1.6 2003/09/24 23:35:45 avsm Exp $ */
/*
* Copyright (c) 2003 Anil Madhavapeddy <anil@recoil.org>
@ -97,6 +97,7 @@ int
priv_init(char *conf, int numeric, int lockfd, int nullfd, char *argv[])
{
int i, fd, socks[2], cmd, addr_len, addr_af, result;
size_t path_len, hostname_len;
char path[MAXPATHLEN], hostname[MAXHOSTNAMELEN];
struct stat cf_stat;
struct hostent *hp;
@ -183,9 +184,14 @@ priv_init(char *conf, int numeric, int lockfd, int nullfd, char *argv[])
must_read(socks[0], &cmd, sizeof(int));
switch (cmd) {
case PRIV_OPEN_TTY:
must_read(socks[0], &path, sizeof path);
dprintf("[priv]: msg PRIV_OPEN_TTY received\n");
check_tty_name(path, sizeof path);
/* Expecting: length, path */
must_read(socks[0], &path_len, sizeof(size_t));
if (path_len == 0 || path_len > sizeof(path))
_exit(0);
must_read(socks[0], &path, path_len);
path[path_len - 1] = '\0';
check_tty_name(path, path_len);
fd = open(path, O_WRONLY|O_NONBLOCK, 0);
if (fd < 0)
warnx("priv_open_tty failed");
@ -194,9 +200,14 @@ priv_init(char *conf, int numeric, int lockfd, int nullfd, char *argv[])
break;
case PRIV_OPEN_LOG:
must_read(socks[0], &path, sizeof path);
dprintf("[priv]: msg PRIV_OPEN_LOG received: %s\n", path);
check_log_name(path, sizeof path);
/* Expecting: length, path */
must_read(socks[0], &path_len, sizeof(size_t));
if (path_len == 0 || path_len > sizeof(path))
_exit(0);
must_read(socks[0], &path, path_len);
path[path_len - 1] = '\0';
check_log_name(path, path_len);
fd = open(path, O_WRONLY|O_APPEND|O_NONBLOCK, 0);
if (fd < 0)
warnx("priv_open_log failed");
@ -246,8 +257,12 @@ priv_init(char *conf, int numeric, int lockfd, int nullfd, char *argv[])
case PRIV_GETHOSTBYNAME:
dprintf("[priv]: msg PRIV_GETHOSTBYNAME received\n");
/* Expecting: hostname[MAXHOSTNAMELEN] */
must_read(socks[0], &hostname, sizeof hostname);
/* Expecting: length, hostname */
must_read(socks[0], &hostname_len, sizeof(size_t));
if (hostname_len == 0 || hostname_len > sizeof(hostname))
_exit(0);
must_read(socks[0], &hostname, hostname_len);
hostname[hostname_len - 1] = '\0';
hp = gethostbyname(hostname);
if (hp == NULL) {
addr_len = 0;
@ -264,7 +279,7 @@ priv_init(char *conf, int numeric, int lockfd, int nullfd, char *argv[])
errx(1, "rejected attempt to gethostbyaddr");
/* Expecting: length, address, address family */
must_read(socks[0], &addr_len, sizeof(int));
if (addr_len > sizeof(hostname))
if (addr_len <= 0 || addr_len > sizeof(hostname))
_exit(0);
must_read(socks[0], hostname, addr_len);
must_read(socks[0], &addr_af, sizeof(int));
@ -381,15 +396,19 @@ priv_open_tty(const char *tty)
{
char path[MAXPATHLEN];
int cmd, fd;
size_t path_len;
if (priv_fd < 0)
errx(1, "%s: called from privileged portion", __func__);
if (strlcpy(path, tty, sizeof path) >= sizeof(path))
return -1;
path_len = strlen(path) + 1;
cmd = PRIV_OPEN_TTY;
must_write(priv_fd, &cmd, sizeof(int));
must_write(priv_fd, path, sizeof(path));
must_write(priv_fd, &path_len, sizeof(size_t));
must_write(priv_fd, path, path_len);
fd = receive_fd(priv_fd);
return fd;
}
@ -400,15 +419,19 @@ priv_open_log(const char *log)
{
char path[MAXPATHLEN];
int cmd, fd;
size_t path_len;
if (priv_fd < 0)
errx(1, "%s: called from privileged child", __func__);
if (strlcpy(path, log, sizeof path) >= sizeof(path))
return -1;
path_len = strlen(path) + 1;
cmd = PRIV_OPEN_LOG;
must_write(priv_fd, &cmd, sizeof(int));
must_write(priv_fd, path, sizeof(path));
must_write(priv_fd, &path_len, sizeof(size_t));
must_write(priv_fd, path, path_len);
fd = receive_fd(priv_fd);
return fd;
}
@ -503,16 +526,19 @@ priv_gethostbyname(char *host, char *addr, size_t addr_len)
{
char hostcpy[MAXHOSTNAMELEN];
int cmd, ret_len;
if (strlcpy(hostcpy, host, sizeof hostcpy) >= sizeof(hostcpy))
errx(1, "%s: overflow attempt in hostname", __func__);
size_t hostname_len;
if (priv_fd < 0)
errx(1, "%s: called from privileged portion", __func__);
if (strlcpy(hostcpy, host, sizeof hostcpy) >= sizeof(hostcpy))
errx(1, "%s: overflow attempt in hostname", __func__);
hostname_len = strlen(hostcpy) + 1;
cmd = PRIV_GETHOSTBYNAME;
must_write(priv_fd, &cmd, sizeof(int));
must_write(priv_fd, hostcpy, sizeof(hostcpy));
must_write(priv_fd, &hostname_len, sizeof(size_t));
must_write(priv_fd, hostcpy, hostname_len);
/* Expect back an integer size, and then a string of that length */
must_read(priv_fd, &ret_len, sizeof(int));