From 07f4c12efe3b9bd45d109bc5fbaf6d9dbf69d78e Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Wed, 11 Jun 2014 12:24:20 +0100 Subject: If loader contains two messages with fds, don't corrupt the second There were two bugs here: we would previously overwrite the unused fds with the already-used fds instead of the other way round, and we would copy n bytes where we should have copied n ints. Additionally, sending crafted messages in a chosen sequence to a victim system service could cause an invalid file descriptor to be present when dbus-daemon tries to forward one of those crafted messages to the victim, causing sendmsg() to fail with EBADF, which resulted in disconnecting the victim service, which would likely respond to that by exiting. This is a denial of service (fd.o #80469, CVE-2014-3533). Bug: https://bugs.freedesktop.org/show_bug.cgi?id=79694 Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80469 Reviewed-by: Alban Crequy diff --git a/dbus/dbus-message.c b/dbus/dbus-message.c index c6953d0..78df755 100644 --- a/dbus/dbus-message.c +++ b/dbus/dbus-message.c @@ -4204,7 +4204,7 @@ load_message (DBusMessageLoader *loader, message->n_unix_fds_allocated = message->n_unix_fds = n_unix_fds; loader->n_unix_fds -= n_unix_fds; - memmove(loader->unix_fds + n_unix_fds, loader->unix_fds, loader->n_unix_fds); + memmove (loader->unix_fds, loader->unix_fds + n_unix_fds, loader->n_unix_fds * sizeof (loader->unix_fds[0])); } else message->unix_fds = NULL; -- cgit v0.10.2