|
 |
923a60 |
From 1c53e6f5a6bf9ecd5196518fc824af22c6996141 Mon Sep 17 00:00:00 2001
|
|
|
923a60 |
From: Lennart Poettering <lennart@poettering.net>
|
|
|
923a60 |
Date: Wed, 13 Feb 2019 16:51:22 +0100
|
|
|
923a60 |
Subject: [PATCH] sd-bus: if we receive an invalid dbus message, ignore and
|
|
|
923a60 |
proceeed
|
|
|
923a60 |
|
|
|
923a60 |
dbus-daemon might have a slightly different idea of what a valid msg is
|
|
|
923a60 |
than us (for example regarding valid msg and field sizes). Let's hence
|
|
|
923a60 |
try to proceed if we can and thus drop messages rather than fail the
|
|
|
923a60 |
connection if we fail to validate a message.
|
|
|
923a60 |
|
|
|
923a60 |
Hopefully the differences in what is considered valid are not visible
|
|
|
923a60 |
for real-life usecases, but are specific to exploit attempts only.
|
|
|
923a60 |
|
|
|
923a60 |
(cherry-picked from commit 6d586a13717ae057aa1b4127400c3de61cd5b9e7)
|
|
|
923a60 |
|
|
|
923a60 |
Related: #1667871
|
|
|
923a60 |
---
|
|
|
923a60 |
src/libsystemd/sd-bus/bus-socket.c | 9 ++++++---
|
|
|
923a60 |
1 file changed, 6 insertions(+), 3 deletions(-)
|
|
|
923a60 |
|
|
|
923a60 |
diff --git a/src/libsystemd/sd-bus/bus-socket.c b/src/libsystemd/sd-bus/bus-socket.c
|
|
|
923a60 |
index ab56ef4f33..4437024bb9 100644
|
|
|
923a60 |
--- a/src/libsystemd/sd-bus/bus-socket.c
|
|
|
923a60 |
+++ b/src/libsystemd/sd-bus/bus-socket.c
|
|
|
923a60 |
@@ -879,7 +879,7 @@ static int bus_socket_read_message_need(sd_bus *bus, size_t *need) {
|
|
|
923a60 |
}
|
|
|
923a60 |
|
|
|
923a60 |
static int bus_socket_make_message(sd_bus *bus, size_t size) {
|
|
|
923a60 |
- sd_bus_message *t;
|
|
|
923a60 |
+ sd_bus_message *t = NULL;
|
|
|
923a60 |
void *b;
|
|
|
923a60 |
int r;
|
|
|
923a60 |
|
|
|
923a60 |
@@ -905,7 +905,9 @@ static int bus_socket_make_message(sd_bus *bus, size_t size) {
|
|
|
923a60 |
NULL,
|
|
|
923a60 |
NULL,
|
|
|
923a60 |
&t);
|
|
|
923a60 |
- if (r < 0) {
|
|
|
923a60 |
+ if (r == -EBADMSG)
|
|
|
923a60 |
+ log_debug_errno(r, "Received invalid message from connection %s, dropping.", strna(bus->description));
|
|
|
923a60 |
+ else if (r < 0) {
|
|
|
923a60 |
free(b);
|
|
|
923a60 |
return r;
|
|
|
923a60 |
}
|
|
|
923a60 |
@@ -916,7 +918,8 @@ static int bus_socket_make_message(sd_bus *bus, size_t size) {
|
|
|
923a60 |
bus->fds = NULL;
|
|
|
923a60 |
bus->n_fds = 0;
|
|
|
923a60 |
|
|
|
923a60 |
- bus->rqueue[bus->rqueue_size++] = t;
|
|
|
923a60 |
+ if (t)
|
|
|
923a60 |
+ bus->rqueue[bus->rqueue_size++] = t;
|
|
|
923a60 |
|
|
|
923a60 |
return 1;
|
|
|
923a60 |
}
|