From 103e78e04a2015caad74e00a48f7faa83ae19f42 Mon Sep 17 00:00:00 2001 From: xzfc Date: Fri, 10 Nov 2017 02:18:23 +0700 Subject: [PATCH] Bugfix: avert endless loop on unexpected EOF at ipc messages (#3021) Fix freeze on invalid ipc commands like echo -n $'i3-ipc\0\0\0\xa\0\0\0\0focus left' | socat - `i3 --get-socketpath` Also, treat incomplete headers as IPC violation. Example of incomplete header: echo -n i3-ip | socat - `i3 --get-socketpath` --- libi3/ipc_recv_message.c | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/libi3/ipc_recv_message.c b/libi3/ipc_recv_message.c index 16dda90d..84da5aa3 100644 --- a/libi3/ipc_recv_message.c +++ b/libi3/ipc_recv_message.c @@ -13,6 +13,7 @@ #include #include #include +#include #include @@ -41,14 +42,21 @@ int ipc_recv_message(int sockfd, uint32_t *message_type, if (n == -1) return -1; if (n == 0) { - return -2; + if (read_bytes == 0) { + return -2; + } else { + ELOG("IPC: unexpected EOF while reading header, got %" PRIu32 " bytes, want %" PRIu32 " bytes\n", + read_bytes, to_read); + return -3; + } } read_bytes += n; } if (memcmp(walk, I3_IPC_MAGIC, strlen(I3_IPC_MAGIC)) != 0) { - ELOG("IPC: invalid magic in reply\n"); + ELOG("IPC: invalid magic in header, got \"%.*s\", want \"%s\"\n", + (int)strlen(I3_IPC_MAGIC), walk, I3_IPC_MAGIC); return -3; } @@ -61,13 +69,18 @@ int ipc_recv_message(int sockfd, uint32_t *message_type, *reply = smalloc(*reply_length); read_bytes = 0; - int n; while (read_bytes < *reply_length) { - if ((n = read(sockfd, *reply + read_bytes, *reply_length - read_bytes)) == -1) { + const int n = read(sockfd, *reply + read_bytes, *reply_length - read_bytes); + if (n == -1) { if (errno == EINTR || errno == EAGAIN) continue; return -1; } + if (n == 0) { + ELOG("IPC: unexpected EOF while reading payload, got %" PRIu32 " bytes, want %" PRIu32 " bytes\n", + read_bytes, *reply_length); + return -3; + } read_bytes += n; }