daandemeyer / rpms / systemd

Forked from rpms/systemd 2 years ago
Clone
36e8a3
From 87922b7adc47f311e89b21e37b26ee300a401e1d Mon Sep 17 00:00:00 2001
36e8a3
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
36e8a3
Date: Mon, 9 Jul 2018 13:21:44 +0200
36e8a3
Subject: [PATCH] bus-message: do not crash on message with a string of zero
36e8a3
 length
36e8a3
36e8a3
We'd calculate the "real" length of the string as 'item_size - 1', which does
36e8a3
not work out well when item_size == 0.
36e8a3
36e8a3
(cherry picked from commit 81b6e63029eefcb0ec03a3a7c248490e38106073)
36e8a3
36e8a3
Resolves: #1635439
36e8a3
---
36e8a3
 src/libsystemd/sd-bus/bus-message.c                |   6 ++++++
36e8a3
 .../crash-29ed3c202e0ffade3cad42c8bbeb6cc68a21eb8e | Bin 0 -> 51 bytes
36e8a3
 2 files changed, 6 insertions(+)
36e8a3
 create mode 100644 test/fuzz/fuzz-bus-message/crash-29ed3c202e0ffade3cad42c8bbeb6cc68a21eb8e
36e8a3
36e8a3
diff --git a/src/libsystemd/sd-bus/bus-message.c b/src/libsystemd/sd-bus/bus-message.c
36e8a3
index 8d92bc200..381034f5f 100644
36e8a3
--- a/src/libsystemd/sd-bus/bus-message.c
36e8a3
+++ b/src/libsystemd/sd-bus/bus-message.c
36e8a3
@@ -3312,6 +3312,12 @@ _public_ int sd_bus_message_read_basic(sd_bus_message *m, char type, void *p) {
36e8a3
                 if (IN_SET(type, SD_BUS_TYPE_STRING, SD_BUS_TYPE_OBJECT_PATH, SD_BUS_TYPE_SIGNATURE)) {
36e8a3
                         bool ok;
36e8a3
 
36e8a3
+                        /* D-Bus spec: The marshalling formats for the string-like types all end
36e8a3
+                         * with a single zero (NUL) byte, but that byte is not considered to be part
36e8a3
+                         * of the text. */
36e8a3
+                        if (c->item_size == 0)
36e8a3
+                                return -EBADMSG;
36e8a3
+
36e8a3
                         r = message_peek_body(m, &rindex, 1, c->item_size, &q);
36e8a3
                         if (r < 0)
36e8a3
                                 return r;
36e8a3
diff --git a/test/fuzz/fuzz-bus-message/crash-29ed3c202e0ffade3cad42c8bbeb6cc68a21eb8e b/test/fuzz/fuzz-bus-message/crash-29ed3c202e0ffade3cad42c8bbeb6cc68a21eb8e
36e8a3
new file mode 100644
36e8a3
index 0000000000000000000000000000000000000000..4488f0a6c685b5d43eddbe41a0c6a3b6be9b02e2
36e8a3
GIT binary patch
36e8a3
literal 51
36e8a3
fcmc~1WMC4sJpJnr13KV`0|t%6q+%$@&=ddw)CUPg
36e8a3
36e8a3
literal 0
36e8a3
HcmV?d00001
36e8a3