From b71d112385937fdffac8bb78df279b23bc9441c4 Mon Sep 17 00:00:00 2001 From: Jan Synacek Date: Tue, 4 Dec 2018 10:01:35 +0100 Subject: [PATCH] core: enforce a limit on STATUS= texts recvd from services Let's better be safe than sorry, and put a limit on what we receive. (cherry picked from commit 3eac1bcae9284fb8b18f4b82156c0e85ddb004e5) Related: CVE-2018-15686 --- src/core/service.c | 8 ++++++-- src/core/service.h | 2 ++ 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/src/core/service.c b/src/core/service.c index 4d542ad947..fe6e2ff17c 100644 --- a/src/core/service.c +++ b/src/core/service.c @@ -3045,8 +3045,12 @@ static void service_notify_message(Unit *u, pid_t pid, char **tags, FDSet *fds) _cleanup_free_ char *t = NULL; if (!isempty(e)) { - if (!utf8_is_valid(e)) - log_unit_warning(u->id, "Status message in notification is not UTF-8 clean."); + /* Note that this size limit check is mostly paranoia: since the datagram size we are willing + * to process is already limited to NOTIFY_BUFFER_MAX, this limit here should never be hit. */ + if (strlen(e) > STATUS_TEXT_MAX) + log_unit_warning(u->id, "Status message overly long (%zu > %u), ignoring.", strlen(e), STATUS_TEXT_MAX); + else if (!utf8_is_valid(e)) + log_unit_warning(u->id, "Status message in notification message is not UTF-8 clean, ignoring."); else { log_unit_debug(u->id, "%s: got STATUS=%s", u->id, e); diff --git a/src/core/service.h b/src/core/service.h index 1f937dfe57..e0547a464e 100644 --- a/src/core/service.h +++ b/src/core/service.h @@ -31,6 +31,8 @@ typedef struct ServiceFDStore ServiceFDStore; #include "exit-status.h" #include "emergency-action.h" +#define STATUS_TEXT_MAX (16U*1024U) + typedef enum ServiceState { SERVICE_DEAD, SERVICE_START_PRE,