Merge pull request #12279 from keszybz/sd-bus-long-signatures

sd-bus: properly handle messages with overlong signatures
2019-04-11 17:03:57 +02:00 · 2019-04-11 17:03:57 +02:00 · 574ef404d8
parent a3a1f24f81 fb270a26b2
commit 574ef404d8
5 changed files with 15 additions and 6 deletions
--- a/src/libsystemd/sd-bus/bus-internal.c
+++ b/src/libsystemd/sd-bus/bus-internal.c
@ -97,7 +97,7 @@ bool interface_name_is_valid(const char *p) {
                        dot = false;
                }

-        if (q - p > 255)
+        if (q - p > SD_BUS_MAXIMUM_NAME_LENGTH)
                return false;

        if (dot)
@ -139,7 +139,7 @@ bool service_name_is_valid(const char *p) {
                        dot = false;
                }

-        if (q - p > 255)
+        if (q - p > SD_BUS_MAXIMUM_NAME_LENGTH)
                return false;

        if (dot)
@ -170,7 +170,7 @@ bool member_name_is_valid(const char *p) {
                        return false;
        }

-        if (q - p > 255)
+        if (q - p > SD_BUS_MAXIMUM_NAME_LENGTH)
                return false;

        return true;
--- a/src/libsystemd/sd-bus/bus-message.c
+++ b/src/libsystemd/sd-bus/bus-message.c
@ -284,7 +284,7 @@ static int message_append_field_signature(
        /* dbus1 doesn't allow signatures over 8bit, let's enforce
         * this globally, to not risk convertability */
        l = strlen(s);
-        if (l > 255)
+        if (l > SD_BUS_MAXIMUM_SIGNATURE_LENGTH)
                return -EINVAL;

        /* Signature "(yv)" where the variant contains "g" */
@ -5152,7 +5152,7 @@ int bus_message_parse_fields(sd_bus_message *m) {
                                return -EBADMSG;

                        if (*p == 0) {
-                                char *k;
+                                _cleanup_free_ char *k = NULL;
                                size_t l;

                                /* We found the beginning of the signature
@ -5170,6 +5170,9 @@ int bus_message_parse_fields(sd_bus_message *m) {
                                if (!k)
                                        return -ENOMEM;

+                                if (!signature_is_valid(k, true))
+                                        return -EBADMSG;
+
                                free_and_replace(m->root_container.signature, k);
                                break;
                        }
--- a/src/libsystemd/sd-bus/bus-signature.c
+++ b/src/libsystemd/sd-bus/bus-signature.c
@ -144,5 +144,5 @@ bool signature_is_valid(const char *s, bool allow_dict_entry) {
                p += t;
        }

-        return p - s <= 255;
+        return p - s <= SD_BUS_MAXIMUM_SIGNATURE_LENGTH;
 }
--- a/src/systemd/sd-bus.h
+++ b/src/systemd/sd-bus.h
@ -33,6 +33,12 @@ _SD_BEGIN_DECLARATIONS;
 #define SD_BUS_DEFAULT_USER ((sd_bus *) 2)
 #define SD_BUS_DEFAULT_SYSTEM ((sd_bus *) 3)

+/* https://dbus.freedesktop.org/doc/dbus-specification.html#message-protocol-marshaling-signature */
+#define SD_BUS_MAXIMUM_SIGNATURE_LENGTH 255
+
+/* https://dbus.freedesktop.org/doc/dbus-specification.html#message-protocol-names */
+#define SD_BUS_MAXIMUM_NAME_LENGTH 255
+
 /* Types */

 typedef struct sd_bus sd_bus;
--- a/test/fuzz/fuzz-bus-message/oss-fuzz-14016
+++ b/test/fuzz/fuzz-bus-message/oss-fuzz-14016