Bugfix: avert endless loop on unexpected EOF at ipc messages (#3021)

Fix freeze on invalid ipc commands like

    echo -n $'i3-ipc\0\0\0\xa\0\0\0\0focus left' | socat - `i3 --get-socketpath`

Also, treat incomplete headers as IPC violation. Example of incomplete header:

    echo -n i3-ip | socat - `i3 --get-socketpath`
This commit is contained in:
xzfc 2017-11-10 02:18:23 +07:00 committed by Michael Stapelberg
parent c207921949
commit 103e78e04a
1 changed files with 17 additions and 4 deletions

View File

@ -13,6 +13,7 @@
#include <stdint.h> #include <stdint.h>
#include <unistd.h> #include <unistd.h>
#include <errno.h> #include <errno.h>
#include <inttypes.h>
#include <i3/ipc.h> #include <i3/ipc.h>
@ -41,14 +42,21 @@ int ipc_recv_message(int sockfd, uint32_t *message_type,
if (n == -1) if (n == -1)
return -1; return -1;
if (n == 0) { if (n == 0) {
if (read_bytes == 0) {
return -2; return -2;
} else {
ELOG("IPC: unexpected EOF while reading header, got %" PRIu32 " bytes, want %" PRIu32 " bytes\n",
read_bytes, to_read);
return -3;
}
} }
read_bytes += n; read_bytes += n;
} }
if (memcmp(walk, I3_IPC_MAGIC, strlen(I3_IPC_MAGIC)) != 0) { if (memcmp(walk, I3_IPC_MAGIC, strlen(I3_IPC_MAGIC)) != 0) {
ELOG("IPC: invalid magic in reply\n"); ELOG("IPC: invalid magic in header, got \"%.*s\", want \"%s\"\n",
(int)strlen(I3_IPC_MAGIC), walk, I3_IPC_MAGIC);
return -3; return -3;
} }
@ -61,13 +69,18 @@ int ipc_recv_message(int sockfd, uint32_t *message_type,
*reply = smalloc(*reply_length); *reply = smalloc(*reply_length);
read_bytes = 0; read_bytes = 0;
int n;
while (read_bytes < *reply_length) { while (read_bytes < *reply_length) {
if ((n = read(sockfd, *reply + read_bytes, *reply_length - read_bytes)) == -1) { const int n = read(sockfd, *reply + read_bytes, *reply_length - read_bytes);
if (n == -1) {
if (errno == EINTR || errno == EAGAIN) if (errno == EINTR || errno == EAGAIN)
continue; continue;
return -1; return -1;
} }
if (n == 0) {
ELOG("IPC: unexpected EOF while reading payload, got %" PRIu32 " bytes, want %" PRIu32 " bytes\n",
read_bytes, *reply_length);
return -3;
}
read_bytes += n; read_bytes += n;
} }