picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

bus-message: fix skipping of array fields in !gvariant messages 

We copied part of the string into a buffer that was off by two.
If the element signature had length one, we'd copy 0 bytes and crash when
looking at the "first" byte. Otherwise, we would crash because strncpy would
not terminate the string.
This commit is contained in:
Zbigniew Jędrzejewski-Szmek 2018-08-11 08:32:20 +02:00
parent 0b4775b527
commit 73777ddba5
2 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/libsystemd/sd-bus/bus-message.c
View File

@ -4958,18 +4958,18 @@ static int message_skip_fields(
} else if (t == SD_BUS_TYPE_ARRAY) {
r = signature_element_length(*signature+1, &l);
r = signature_element_length(*signature + 1, &l);
if (r < 0)
return r;
assert(l >= 1);
{
char sig[l-1], *s;
char sig[l + 1], *s = sig;
uint32_t nas;
int alignment;
strncpy(sig, *signature + 1, l-1);
s = sig;
strncpy(sig, *signature + 1, l);
sig[l] = '\0';
alignment = bus_type_get_alignment(sig[0]);
if (alignment < 0)

BIN
test/fuzz/fuzz-bus-message/crash-37449529b1ad867f0c2671fa80aca5d7812a2b70 Normal file
View File

Binary file not shown.