From 82279e696605fe4eeadd1ca3744c76c8790f885b Mon Sep 17 00:00:00 2001

From: Lukasz Skalski <l.skalski@samsung.com>

Date: Fri, 10 Oct 2014 12:29:04 +0200

Subject: [PATCH] kdbus: fix buffer overflow in bus_get_owner_kdbus() function

Commit 710fc9779b7c (kdbus repo) introduced attaching items[]

instead of name[] in kdbus_cmd_conn_info struct. Commit 581fe6c81

(systemd repo) caught up with this change, but item size was not

properly calculated.

---

 src/libsystemd/sd-bus/bus-control.c | 11 +++++------

 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/src/libsystemd/sd-bus/bus-control.c b/src/libsystemd/sd-bus/bus-control.c

index dbd94fc46b..7b106a3274 100644

--- a/src/libsystemd/sd-bus/bus-control.c

+++ b/src/libsystemd/sd-bus/bus-control.c

@@ -398,7 +398,7 @@ static int bus_get_owner_kdbus(

         struct kdbus_cmd_conn_info *cmd;

         struct kdbus_conn_info *conn_info;

         struct kdbus_item *item;

-        size_t size;

+        size_t size, l;

         uint64_t m, id;

         int r;

@@ -410,13 +410,12 @@ static int bus_get_owner_kdbus(

                 cmd = alloca0_align(size, 8);

                 cmd->id = id;

         } else {

-                size_t item_size = KDBUS_ITEM_HEADER_SIZE + strlen(name) + 1;

-

-                size = offsetof(struct kdbus_cmd_conn_info, items) + item_size;

+                l = strlen(name) + 1;

+                size = offsetof(struct kdbus_cmd_conn_info, items) + KDBUS_ITEM_SIZE(l);

                 cmd = alloca0_align(size, 8);

-                cmd->items[0].size = item_size;

+                cmd->items[0].size = KDBUS_ITEM_HEADER_SIZE + l;

                 cmd->items[0].type = KDBUS_ITEM_NAME;

-                strcpy(cmd->items[0].str, name);

+                memcpy(cmd->items[0].str, name, l);

         }

         cmd->size = size;