picnoir/Systemd
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

bus-message: fix negative offset with ~empty message

Browse source 
In the linked reproducer, m->fields_size == 0, and we calculate ri == -1, which
of course doesn't end well. Skip the whole calculation if m->fields_size == 0,
and also check that we don't go negative even if it is non-zero.

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19446 and #15583.
This commit is contained in:
Zbigniew Jędrzejewski-Szmek 2020-05-20 09:05:17 +02:00
parent 1d06deba0f
commit e0c17a7d1b
2 changed files with 24 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

43
src/libsystemd/sd-bus/bus-message.c
View file

@ -5202,29 +5202,34 @@ int bus_message_parse_fields(sd_bus_message *m) {
* table */
m->user_body_size = m->body_size - ((char*) m->footer + m->footer_accessible - p);
/* Pull out the offset table for the fields array */
sz = bus_gvariant_determine_word_size(m->fields_size, 0);
if (sz > 0) {
size_t framing;
void *q;
/* Pull out the offset table for the fields array, if any */
if (m->fields_size > 0) {
sz = bus_gvariant_determine_word_size(m->fields_size, 0);
if (sz > 0) {
size_t framing;
void *q;
ri = m->fields_size - sz;
r = message_peek_fields(m, &ri, 1, sz, &q);
if (r < 0)
return r;
if (m->fields_size < sz)
return -EBADMSG;
framing = bus_gvariant_read_word_le(q, sz);
if (framing >= m->fields_size - sz)
return -EBADMSG;
if ((m->fields_size - framing) % sz != 0)
return -EBADMSG;
ri = m->fields_size - sz;
r = message_peek_fields(m, &ri, 1, sz, &q);
if (r < 0)
return r;
ri = framing;
r = message_peek_fields(m, &ri, 1, m->fields_size - framing, &offsets);
if (r < 0)
return r;
framing = bus_gvariant_read_word_le(q, sz);
if (framing >= m->fields_size - sz)
return -EBADMSG;
if ((m->fields_size - framing) % sz != 0)
return -EBADMSG;
n_offsets = (m->fields_size - framing) / sz;
ri = framing;
r = message_peek_fields(m, &ri, 1, m->fields_size - framing, &offsets);
if (r < 0)
return r;
n_offsets = (m->fields_size - framing) / sz;
}
}
} else
m->user_body_size = m->body_size;

BIN
test/fuzz/fuzz-bus-message/oss-fuzz-19446 Normal file
View file

Binary file not shown.