rpms / systemd

Clone
Source Code
GIT

Blame SOURCES/0172-bus-message-fix-skipping-of-array-fields-in-gvariant.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-atomic c7-atomic-beta c7-beta c7-sig-altarch-fasttrack c8 c8-beta c8s c8s-sig-hyperscale c8s-sig-hyperscale-hotfix-252 c9 c9-beta c9s-sig-hyperscale c9s-sig-hyperscale-hotfix-252
  1.   4fbe94b7987a8e7ec501c7c74f03e04b9baadd6b
  2.   SOURCES
  3.   0172-bus-message-fix-skipping-of-array-fields-in-gvariant.patch
Blob History Raw
ff6046 
From d212765dc94ba25c04e0e9a278586f0e86851e35 Mon Sep 17 00:00:00 2001
ff6046 
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
ff6046 
Date: Sat, 11 Aug 2018 08:32:20 +0200
ff6046 
Subject: [PATCH] bus-message: fix skipping of array fields in !gvariant
ff6046 
 messages
ff6046
ff6046 
We copied part of the string into a buffer that was off by two.
ff6046 
If the element signature had length one, we'd copy 0 bytes and crash when
ff6046 
looking at the "first" byte. Otherwise, we would crash because strncpy would
ff6046 
not terminate the string.
ff6046
ff6046 
(cherry picked from commit 73777ddba5100fe6c0791cd37a91f24a515f3202)
ff6046
ff6046 
Resolves: #1696224
ff6046 
---
ff6046 
 src/libsystemd/sd-bus/bus-message.c               |   8 ++++----
ff6046 
 ...crash-37449529b1ad867f0c2671fa80aca5d7812a2b70 | Bin 0 -> 534 bytes
ff6046 
 2 files changed, 4 insertions(+), 4 deletions(-)
ff6046 
 create mode 100644 test/fuzz/fuzz-bus-message/crash-37449529b1ad867f0c2671fa80aca5d7812a2b70
ff6046
ff6046 
diff --git a/src/libsystemd/sd-bus/bus-message.c b/src/libsystemd/sd-bus/bus-message.c
ff6046 
index 09e72d89dd..202f1aab30 100644
ff6046 
--- a/src/libsystemd/sd-bus/bus-message.c
ff6046 
+++ b/src/libsystemd/sd-bus/bus-message.c
ff6046 
@@ -4981,18 +4981,18 @@ static int message_skip_fields(
ff6046
ff6046 
                 } else if (t == SD_BUS_TYPE_ARRAY) {
ff6046
ff6046 
-                        r = signature_element_length(*signature+1, &l);
ff6046 
+                        r = signature_element_length(*signature + 1, &l);
ff6046 
                         if (r < 0)
ff6046 
                                 return r;
ff6046
ff6046 
                         assert(l >= 1);
ff6046 
                         {
ff6046 
-                                char sig[l-1], *s;
ff6046 
+                                char sig[l + 1], *s = sig;
ff6046 
                                 uint32_t nas;
ff6046 
                                 int alignment;
ff6046
ff6046 
-                                strncpy(sig, *signature + 1, l-1);
ff6046 
-                                s = sig;
ff6046 
+                                strncpy(sig, *signature + 1, l);
ff6046 
+                                sig[l] = '\0';
ff6046
ff6046 
                                 alignment = bus_type_get_alignment(sig[0]);
ff6046 
                                 if (alignment < 0)
ff6046 
diff --git a/test/fuzz/fuzz-bus-message/crash-37449529b1ad867f0c2671fa80aca5d7812a2b70 b/test/fuzz/fuzz-bus-message/crash-37449529b1ad867f0c2671fa80aca5d7812a2b70
ff6046 
new file mode 100644
ff6046 
index 0000000000000000000000000000000000000000..6a20265a39e1b4a318b50aee2b13727ddc4113bf
ff6046 
GIT binary patch
ff6046 
literal 534
ff6046 
zcmc~{WMHggWMD`aVqj=xU|>*W&P&W-;Q0Fg|9>Elfq|V9OfmRED27Bi2!jjC2Wn-|
ff6046 
z17hYPAOVtNW-Ml42GVKy`9P9^ffdMS1=8h-IVt%J91NTwNgyEFV4&K>#6$*=MMgl(
ff6046 
r%#fH?l1eMv=;=K=_yi-CK!KUB2_%6r0c0u^mlS2@rGxk|0FGY(dwVLU
ff6046
ff6046 
literal 0
ff6046 
HcmV?d00001
ff6046

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation