Fix domain socket handling (fixes CVE-2024-35235)

zdohnal · zdohnal · commit b273a1f29bda · 2024-06-11T16:19:11.000+02:00
- Check status of unlink and bind system calls.
- Don't allow extra domain sockets when running from launchd/systemd.
- Validate length of domain socket path (&lt; sizeof(sun_path))

Fixes CVE-2024-35235, written by Mike Sweet
diff --git a/cups/http-addr.c b/cups/http-addr.c
@@ -206,27 +206,29 @@ httpAddrListen(http_addr_t *addr,	/* I - Address to bind to */
     * Remove any existing domain socket file...
     */
 
-    unlink(addr->un.sun_path);
-
-   /*
-    * Save the current umask and set it to 0 so that all users can access
-    * the domain socket...
-    */
-
-    mask = umask(0);
+    if ((status = unlink(addr->un.sun_path)) < 0)
+    {
+      DEBUG_printf(("1httpAddrListen: Unable to unlink \"%s\": %s", addr->un.sun_path, strerror(errno)));
 
-   /*
-    * Bind the domain socket...
-    */
+      if (errno == ENOENT)
+	status = 0;
+    }
 
-    status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr));
+    if (!status)
+    {
+      // Save the current umask and set it to 0 so that all users can access
+      // the domain socket...
+      mask = umask(0);
 
-   /*
-    * Restore the umask and fix permissions...
-    */
+      // Bind the domain socket...
+      if ((status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr))) < 0)
+      {
+	DEBUG_printf(("1httpAddrListen: Unable to bind domain socket \"%s\": %s", addr->un.sun_path, strerror(errno)));
+      }
 
-    umask(mask);
-    chmod(addr->un.sun_path, 0140777);
+      // Restore the umask...
+      umask(mask);
+    }
   }
   else
 #endif /* AF_LOCAL */
diff --git a/scheduler/conf.c b/scheduler/conf.c
@@ -3083,6 +3083,26 @@ read_cupsd_conf(cups_file_t *fp)	/* I - File to read from */
       cupsd_listener_t	*lis;		/* New listeners array */
 
 
+     /*
+      * If we are launched on-demand, do not use domain sockets from the config
+      * file.  Also check that the domain socket path is not too long...
+      */
+
+#ifdef HAVE_ONDEMAND
+      if (*value == '/' && OnDemand)
+      {
+        if (strcmp(value, CUPS_DEFAULT_DOMAINSOCKET))
+          cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - only using domain socket from launchd/systemd.", line, value, linenum);
+        continue;
+      }
+#endif // HAVE_ONDEMAND
+
+      if (*value == '/' && strlen(value) > (sizeof(addr->addr.un.sun_path) - 1))
+      {
+        cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - too long.", line, value, linenum);
+        continue;
+      }
+
      /*
       * Get the address list...
       */
