|
 |
4bff0a |
From d212765dc94ba25c04e0e9a278586f0e86851e35 Mon Sep 17 00:00:00 2001
|
|
|
4bff0a |
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
|
|
4bff0a |
Date: Sat, 11 Aug 2018 08:32:20 +0200
|
|
|
4bff0a |
Subject: [PATCH] bus-message: fix skipping of array fields in !gvariant
|
|
|
4bff0a |
messages
|
|
|
4bff0a |
|
|
|
4bff0a |
We copied part of the string into a buffer that was off by two.
|
|
|
4bff0a |
If the element signature had length one, we'd copy 0 bytes and crash when
|
|
|
4bff0a |
looking at the "first" byte. Otherwise, we would crash because strncpy would
|
|
|
4bff0a |
not terminate the string.
|
|
|
4bff0a |
|
|
|
4bff0a |
(cherry picked from commit 73777ddba5100fe6c0791cd37a91f24a515f3202)
|
|
|
4bff0a |
|
|
|
4bff0a |
Resolves: #1696224
|
|
|
4bff0a |
---
|
|
|
4bff0a |
src/libsystemd/sd-bus/bus-message.c | 8 ++++----
|
|
|
4bff0a |
...crash-37449529b1ad867f0c2671fa80aca5d7812a2b70 | Bin 0 -> 534 bytes
|
|
|
4bff0a |
2 files changed, 4 insertions(+), 4 deletions(-)
|
|
|
4bff0a |
create mode 100644 test/fuzz/fuzz-bus-message/crash-37449529b1ad867f0c2671fa80aca5d7812a2b70
|
|
|
4bff0a |
|
|
|
4bff0a |
diff --git a/src/libsystemd/sd-bus/bus-message.c b/src/libsystemd/sd-bus/bus-message.c
|
|
|
4bff0a |
index 09e72d89dd..202f1aab30 100644
|
|
|
4bff0a |
--- a/src/libsystemd/sd-bus/bus-message.c
|
|
|
4bff0a |
+++ b/src/libsystemd/sd-bus/bus-message.c
|
|
|
4bff0a |
@@ -4981,18 +4981,18 @@ static int message_skip_fields(
|
|
|
4bff0a |
|
|
|
4bff0a |
} else if (t == SD_BUS_TYPE_ARRAY) {
|
|
|
4bff0a |
|
|
|
4bff0a |
- r = signature_element_length(*signature+1, &l);
|
|
|
4bff0a |
+ r = signature_element_length(*signature + 1, &l);
|
|
|
4bff0a |
if (r < 0)
|
|
|
4bff0a |
return r;
|
|
|
4bff0a |
|
|
|
4bff0a |
assert(l >= 1);
|
|
|
4bff0a |
{
|
|
|
4bff0a |
- char sig[l-1], *s;
|
|
|
4bff0a |
+ char sig[l + 1], *s = sig;
|
|
|
4bff0a |
uint32_t nas;
|
|
|
4bff0a |
int alignment;
|
|
|
4bff0a |
|
|
|
4bff0a |
- strncpy(sig, *signature + 1, l-1);
|
|
|
4bff0a |
- s = sig;
|
|
|
4bff0a |
+ strncpy(sig, *signature + 1, l);
|
|
|
4bff0a |
+ sig[l] = '\0';
|
|
|
4bff0a |
|
|
|
4bff0a |
alignment = bus_type_get_alignment(sig[0]);
|
|
|
4bff0a |
if (alignment < 0)
|
|
|
4bff0a |
diff --git a/test/fuzz/fuzz-bus-message/crash-37449529b1ad867f0c2671fa80aca5d7812a2b70 b/test/fuzz/fuzz-bus-message/crash-37449529b1ad867f0c2671fa80aca5d7812a2b70
|
|
|
4bff0a |
new file mode 100644
|
|
|
4bff0a |
index 0000000000000000000000000000000000000000..6a20265a39e1b4a318b50aee2b13727ddc4113bf
|
|
|
4bff0a |
GIT binary patch
|
|
|
4bff0a |
literal 534
|
|
|
4bff0a |
zcmc~{WMHggWMD`aVqj=xU|>*W&P&W-;Q0Fg|9>Elfq|V9OfmRED27Bi2!jjC2Wn-|
|
|
|
4bff0a |
z17hYPAOVtNW-Ml42GVKy`9P9^ffdMS1=8h-IVt%J91NTwNgyEFV4&K>#6$*=MMgl(
|
|
|
4bff0a |
r%#fH?l1eMv=;=K=_yi-CK!KUB2_%6r0c0u^mlS2@rGxk|0FGY(dwVLU
|
|
|
4bff0a |
|
|
|
4bff0a |
literal 0
|
|
|
4bff0a |
HcmV?d00001
|
|
|
4bff0a |
|