bus-message: do not crash on message with a string of zero length

We'd calculate the "real" length of the string as 'item_size - 1', which does not work out well when item_size == 0.
2018-07-09 13:21:44 +02:00 · 2018-07-09 13:21:44 +02:00 · 81b6e63029
parent 69bd42ca07
commit 81b6e63029
2 changed files with 6 additions and 0 deletions
--- a/src/libsystemd/sd-bus/bus-message.c
+++ b/src/libsystemd/sd-bus/bus-message.c
@ -3292,6 +3292,12 @@ _public_ int sd_bus_message_read_basic(sd_bus_message *m, char type, void *p) {
                if (IN_SET(type, SD_BUS_TYPE_STRING, SD_BUS_TYPE_OBJECT_PATH, SD_BUS_TYPE_SIGNATURE)) {
                        bool ok;

+                        /* D-Bus spec: The marshalling formats for the string-like types all end
+                         * with a single zero (NUL) byte, but that byte is not considered to be part
+                         * of the text. */
+                        if (c->item_size == 0)
+                                return -EBADMSG;
+
                        r = message_peek_body(m, &rindex, 1, c->item_size, &q);
                        if (r < 0)
                                return r;
--- a/test/fuzz/fuzz-bus-message/crash-29ed3c202e0ffade3cad42c8bbeb6cc68a21eb8e
+++ b/test/fuzz/fuzz-bus-message/crash-29ed3c202e0ffade3cad42c8bbeb6cc68a21eb8e