Merge pull request #10349 from poettering/bus-creds-shift-overflow

sd-bus creds bitshift overflow fix
2018-10-10 12:04:33 +02:00 · 2018-10-10 12:04:33 +02:00 · 98359a012a
parent 65f95765d0 92a40e20bf
commit 98359a012a
2 changed files with 11 additions and 4 deletions
--- a/src/basic/capability-util.h
+++ b/src/basic/capability-util.h
@ -39,3 +39,7 @@ static inline bool cap_test_all(uint64_t caps) {
 }

 bool ambient_capabilities_supported(void);
+
+/* Identical to linux/capability.h's CAP_TO_MASK(), but uses an unsigned 1U instead of a signed 1 for shifting left, in
+ * order to avoid complaints about shifting a signed int left by 31 bits, which would make it negative. */
+#define CAP_TO_MASK_CORRECTED(x) (1U << ((x) & 31U))
--- a/src/libsystemd/sd-bus/bus-creds.c
+++ b/src/libsystemd/sd-bus/bus-creds.c
@ -649,19 +649,22 @@ _public_ int sd_bus_creds_get_description(sd_bus_creds *c, const char **ret) {
        return 0;
 }

-static int has_cap(sd_bus_creds *c, unsigned offset, int capability) {
+static int has_cap(sd_bus_creds *c, size_t offset, int capability) {
+        unsigned long lc;
        size_t sz;

        assert(c);
        assert(capability >= 0);
        assert(c->capability);

-        if ((unsigned) capability > cap_last_cap())
+        lc = cap_last_cap();
+
+        if ((unsigned long) capability > lc)
                return 0;

-        sz = DIV_ROUND_UP(cap_last_cap(), 32U);
+        sz = DIV_ROUND_UP(lc, 32LU);

-        return !!(c->capability[offset * sz + CAP_TO_INDEX(capability)] & CAP_TO_MASK(capability));
+        return !!(c->capability[offset * sz + CAP_TO_INDEX((uint32_t) capability)] & CAP_TO_MASK_CORRECTED((uint32_t) capability));
 }

 _public_ int sd_bus_creds_has_effective_cap(sd_bus_creds *c, int capability) {