From b71d112385937fdffac8bb78df279b23bc9441c4 Mon Sep 17 00:00:00 2001
From: Jan Synacek <jsynacek@redhat.com>
Date: Tue, 4 Dec 2018 10:01:35 +0100
Subject: [PATCH] core: enforce a limit on STATUS= texts recvd from services
Let's better be safe than sorry, and put a limit on what we receive.
(cherry picked from commit 3eac1bcae9284fb8b18f4b82156c0e85ddb004e5)
Related: CVE-2018-15686
---
src/core/service.c | 8 ++++++--
src/core/service.h | 2 ++
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/src/core/service.c b/src/core/service.c
index 4d542ad947..fe6e2ff17c 100644
--- a/src/core/service.c
+++ b/src/core/service.c
@@ -3045,8 +3045,12 @@ static void service_notify_message(Unit *u, pid_t pid, char **tags, FDSet *fds)
_cleanup_free_ char *t = NULL;
if (!isempty(e)) {
- if (!utf8_is_valid(e))
- log_unit_warning(u->id, "Status message in notification is not UTF-8 clean.");
+ /* Note that this size limit check is mostly paranoia: since the datagram size we are willing
+ * to process is already limited to NOTIFY_BUFFER_MAX, this limit here should never be hit. */
+ if (strlen(e) > STATUS_TEXT_MAX)
+ log_unit_warning(u->id, "Status message overly long (%zu > %u), ignoring.", strlen(e), STATUS_TEXT_MAX);
+ else if (!utf8_is_valid(e))
+ log_unit_warning(u->id, "Status message in notification message is not UTF-8 clean, ignoring.");
else {
log_unit_debug(u->id, "%s: got STATUS=%s", u->id, e);
diff --git a/src/core/service.h b/src/core/service.h
index 1f937dfe57..e0547a464e 100644
--- a/src/core/service.h
+++ b/src/core/service.h
@@ -31,6 +31,8 @@ typedef struct ServiceFDStore ServiceFDStore;
#include "exit-status.h"
#include "emergency-action.h"
+#define STATUS_TEXT_MAX (16U*1024U)
+
typedef enum ServiceState {
SERVICE_DEAD,
SERVICE_START_PRE,