563e3e
From 4573166e9384f4ffe17a87f7b41aacc4cfe8bad0 Mon Sep 17 00:00:00 2001
563e3e
From: Lennart Poettering <lennart@poettering.net>
563e3e
Date: Wed, 13 Feb 2019 16:51:22 +0100
563e3e
Subject: [PATCH] sd-bus: if we receive an invalid dbus message, ignore and
563e3e
 proceeed
563e3e
563e3e
dbus-daemon might have a slightly different idea of what a valid msg is
563e3e
than us (for example regarding valid msg and field sizes). Let's hence
563e3e
try to proceed if we can and thus drop messages rather than fail the
563e3e
connection if we fail to validate a message.
563e3e
563e3e
Hopefully the differences in what is considered valid are not visible
563e3e
for real-life usecases, but are specific to exploit attempts only.
563e3e
563e3e
(cherry-picked from commit 6d586a13717ae057aa1b4127400c3de61cd5b9e7)
563e3e
563e3e
Related: #1678641
563e3e
---
563e3e
 src/libsystemd/sd-bus/bus-socket.c | 9 ++++++---
563e3e
 1 file changed, 6 insertions(+), 3 deletions(-)
563e3e
563e3e
diff --git a/src/libsystemd/sd-bus/bus-socket.c b/src/libsystemd/sd-bus/bus-socket.c
563e3e
index a5513d1ab..17cfa8e1f 100644
563e3e
--- a/src/libsystemd/sd-bus/bus-socket.c
563e3e
+++ b/src/libsystemd/sd-bus/bus-socket.c
563e3e
@@ -1078,7 +1078,7 @@ static int bus_socket_read_message_need(sd_bus *bus, size_t *need) {
563e3e
 }
563e3e
 
563e3e
 static int bus_socket_make_message(sd_bus *bus, size_t size) {
563e3e
-        sd_bus_message *t;
563e3e
+        sd_bus_message *t = NULL;
563e3e
         void *b;
563e3e
         int r;
563e3e
 
563e3e
@@ -1103,7 +1103,9 @@ static int bus_socket_make_message(sd_bus *bus, size_t size) {
563e3e
                                     bus->fds, bus->n_fds,
563e3e
                                     NULL,
563e3e
                                     &t);
563e3e
-        if (r < 0) {
563e3e
+        if (r == -EBADMSG)
563e3e
+                log_debug_errno(r, "Received invalid message from connection %s, dropping.", strna(bus->description));
563e3e
+        else if (r < 0) {
563e3e
                 free(b);
563e3e
                 return r;
563e3e
         }
563e3e
@@ -1114,7 +1116,8 @@ static int bus_socket_make_message(sd_bus *bus, size_t size) {
563e3e
         bus->fds = NULL;
563e3e
         bus->n_fds = 0;
563e3e
 
563e3e
-        bus->rqueue[bus->rqueue_size++] = t;
563e3e
+        if (t)
563e3e
+                bus->rqueue[bus->rqueue_size++] = t;
563e3e
 
563e3e
         return 1;
563e3e
 }