picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

shared/varlink: add missing terminator in json strings 

Should finally fix oss-fuzz-14688.
8688c29b5a wasn't enough.

The buffer retrieved from memstream has the size that the same as the written
data. When we write do write(f, s, strlen(s)), then no terminating NUL is written,
and the buffer is not (necessarilly) a proper C string.
This commit is contained in:
Zbigniew Jędrzejewski-Szmek 2019-05-30 18:35:22 +02:00
parent c2babfc2f5
commit 2a04712c19
3 changed files with 13 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/shared/json.c
View File

@ -1555,6 +1555,9 @@ int json_variant_format(JsonVariant *v, JsonFormatFlags flags, char **ret) {
size_t sz = 0;
int r;
/* Returns the length of the generated string (without the terminating NUL),
* or negative on error. */
assert_return(v, -EINVAL);
assert_return(ret, -EINVAL);
@ -1567,6 +1570,9 @@ int json_variant_format(JsonVariant *v, JsonFormatFlags flags, char **ret) {
json_variant_dump(v, flags, f, NULL);
/* Add terminating 0, so that the output buffer is a valid string. */
fputc('\0', f);
r = fflush_and_check(f);
}
if (r < 0)
@ -1574,8 +1580,8 @@ int json_variant_format(JsonVariant *v, JsonFormatFlags flags, char **ret) {
assert(s);
*ret = TAKE_PTR(s);
return (int) sz;
assert(sz > 0);
return (int) sz - 1;
}
void json_variant_dump(JsonVariant *v, JsonFormatFlags flags, FILE *f, const char *prefix) {

1
src/shared/varlink.c
View File

@ -1212,6 +1212,7 @@ static int varlink_enqueue_json(Varlink *v, JsonVariant *m) {
r = json_variant_format(m, 0, &text);
if (r < 0)
return r;
assert(text[r] == '\0');
if (v->output_buffer_size + r + 1 > VARLINK_BUFFER_MAX)
return -ENOBUFS;

4
src/test/test-json.c
View File

@ -89,6 +89,7 @@ static void test_variant(const char *data, Test test) {
r = json_variant_format(v, 0, &s);
assert_se(r >= 0);
assert_se(s);
assert_se((size_t) r == strlen(s));
log_info("formatted normally: %s\n", s);
@ -105,6 +106,7 @@ static void test_variant(const char *data, Test test) {
r = json_variant_format(v, JSON_FORMAT_PRETTY, &s);
assert_se(r >= 0);
assert_se(s);
assert_se((size_t) r == strlen(s));
log_info("formatted prettily:\n%s", s);
@ -120,12 +122,14 @@ static void test_variant(const char *data, Test test) {
r = json_variant_format(v, JSON_FORMAT_COLOR, &s);
assert_se(r >= 0);
assert_se(s);
assert_se((size_t) r == strlen(s));
printf("Normal with color: %s\n", s);
s = mfree(s);
r = json_variant_format(v, JSON_FORMAT_COLOR|JSON_FORMAT_PRETTY, &s);
assert_se(r >= 0);
assert_se(s);
assert_se((size_t) r == strlen(s));
printf("Pretty with color:\n%s\n", s);
if (test)