picnoir/Systemd
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

bus-message: fix skipping of array fields in !gvariant messages

Browse source 
We copied part of the string into a buffer that was off by two.
If the element signature had length one, we'd copy 0 bytes and crash when
looking at the "first" byte. Otherwise, we would crash because strncpy would
not terminate the string.
This commit is contained in:
Zbigniew Jędrzejewski-Szmek 2018-08-11 08:32:20 +02:00
parent 0b4775b527
commit 73777ddba5
2 changed files with 4 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
src/libsystemd/sd-bus/bus-message.c
View file

@ -4958,18 +4958,18 @@ static int message_skip_fields(
} else if (t == SD_BUS_TYPE_ARRAY) { } else if (t == SD_BUS_TYPE_ARRAY) {
r = signature_element_length(*signature+1, &l); r = signature_element_length(*signature + 1, &l);
if (r < 0) if (r < 0)
return r; return r;
assert(l >= 1); assert(l >= 1);
{ {
char sig[l-1], *s; char sig[l + 1], *s = sig;
uint32_t nas; uint32_t nas;
int alignment; int alignment;
strncpy(sig, *signature + 1, l-1); strncpy(sig, *signature + 1, l);
s = sig; sig[l] = '\0';
alignment = bus_type_get_alignment(sig[0]); alignment = bus_type_get_alignment(sig[0]);
if (alignment < 0) if (alignment < 0)

BIN
test/fuzz/fuzz-bus-message/crash-37449529b1ad867f0c2671fa80aca5d7812a2b70 Normal file
View file

Binary file not shown.