mirror of
https://github.com/systemd/systemd-stable.git
synced 2025-01-08 21:17:47 +03:00
sd-bus: fix buffer overflow
Fixes #23486.
(cherry picked from commit 89b6a3f13e
)
This commit is contained in:
parent
f00716615d
commit
a5c4e29b2c
@ -428,7 +428,7 @@ int bus_message_from_header(
|
||||
|
||||
_cleanup_free_ sd_bus_message *m = NULL;
|
||||
struct bus_header *h;
|
||||
size_t a, label_sz;
|
||||
size_t a, label_sz = 0; /* avoid false maybe-uninitialized warning */
|
||||
|
||||
assert(bus);
|
||||
assert(header || header_accessible <= 0);
|
||||
@ -506,7 +506,10 @@ int bus_message_from_header(
|
||||
m->fields_size = BUS_MESSAGE_BSWAP32(m, h->dbus1.fields_size);
|
||||
m->body_size = BUS_MESSAGE_BSWAP32(m, h->dbus1.body_size);
|
||||
|
||||
if (sizeof(struct bus_header) + ALIGN8(m->fields_size) + m->body_size != message_size)
|
||||
assert(message_size >= sizeof(struct bus_header));
|
||||
if (m->fields_size > message_size - sizeof(struct bus_header) ||
|
||||
ALIGN8(m->fields_size) > message_size - sizeof(struct bus_header) ||
|
||||
m->body_size != message_size - sizeof(struct bus_header) - ALIGN8(m->fields_size))
|
||||
return -EBADMSG;
|
||||
}
|
||||
|
||||
@ -3061,15 +3064,21 @@ void bus_body_part_unmap(struct bus_body_part *part) {
|
||||
return;
|
||||
}
|
||||
|
||||
static int buffer_peek(const void *p, uint32_t sz, size_t *rindex, size_t align, size_t nbytes, void **r) {
|
||||
static int buffer_peek(const void *p, size_t sz, size_t *rindex, size_t align, size_t nbytes, void **r) {
|
||||
size_t k, start, end;
|
||||
|
||||
assert(rindex);
|
||||
assert(align > 0);
|
||||
|
||||
start = ALIGN_TO((size_t) *rindex, align);
|
||||
end = start + nbytes;
|
||||
start = ALIGN_TO(*rindex, align);
|
||||
if (start > sz)
|
||||
return -EBADMSG;
|
||||
|
||||
/* Avoid overflow below */
|
||||
if (nbytes > SIZE_MAX - start)
|
||||
return -EBADMSG;
|
||||
|
||||
end = start + nbytes;
|
||||
if (end > sz)
|
||||
return -EBADMSG;
|
||||
|
||||
@ -3272,10 +3281,17 @@ static int message_peek_body(
|
||||
assert(rindex);
|
||||
assert(align > 0);
|
||||
|
||||
start = ALIGN_TO((size_t) *rindex, align);
|
||||
padding = start - *rindex;
|
||||
end = start + nbytes;
|
||||
start = ALIGN_TO(*rindex, align);
|
||||
if (start > m->user_body_size)
|
||||
return -EBADMSG;
|
||||
|
||||
padding = start - *rindex;
|
||||
|
||||
/* Avoid overflow below */
|
||||
if (nbytes > SIZE_MAX - start)
|
||||
return -EBADMSG;
|
||||
|
||||
end = start + nbytes;
|
||||
if (end > m->user_body_size)
|
||||
return -EBADMSG;
|
||||
|
||||
|
BIN
test/fuzz/fuzz-bus-message/issue-23486-case-1
Normal file
BIN
test/fuzz/fuzz-bus-message/issue-23486-case-1
Normal file
Binary file not shown.
BIN
test/fuzz/fuzz-bus-message/issue-23486-case-2
Normal file
BIN
test/fuzz/fuzz-bus-message/issue-23486-case-2
Normal file
Binary file not shown.
BIN
test/fuzz/fuzz-bus-message/issue-23486-case-3
Normal file
BIN
test/fuzz/fuzz-bus-message/issue-23486-case-3
Normal file
Binary file not shown.
Loading…
Reference in New Issue
Block a user