1
0
mirror of https://github.com/systemd/systemd.git synced 2025-01-10 05:18:17 +03:00

sd-bus: fix buffer overflow

Fixes .
This commit is contained in:
Yu Watanabe 2022-05-27 04:23:10 +09:00 committed by Zbigniew Jędrzejewski-Szmek
parent 5ad69b04bf
commit 89b6a3f13e
4 changed files with 24 additions and 8 deletions
src/libsystemd/sd-bus
test/fuzz/fuzz-bus-message

View File

@ -428,7 +428,7 @@ int bus_message_from_header(
_cleanup_free_ sd_bus_message *m = NULL; _cleanup_free_ sd_bus_message *m = NULL;
struct bus_header *h; struct bus_header *h;
size_t a, label_sz; size_t a, label_sz = 0; /* avoid false maybe-uninitialized warning */
assert(bus); assert(bus);
assert(header || header_accessible <= 0); assert(header || header_accessible <= 0);
@ -506,7 +506,10 @@ int bus_message_from_header(
m->fields_size = BUS_MESSAGE_BSWAP32(m, h->dbus1.fields_size); m->fields_size = BUS_MESSAGE_BSWAP32(m, h->dbus1.fields_size);
m->body_size = BUS_MESSAGE_BSWAP32(m, h->dbus1.body_size); m->body_size = BUS_MESSAGE_BSWAP32(m, h->dbus1.body_size);
if (sizeof(struct bus_header) + ALIGN8(m->fields_size) + m->body_size != message_size) assert(message_size >= sizeof(struct bus_header));
if (m->fields_size > message_size - sizeof(struct bus_header) ||
ALIGN8(m->fields_size) > message_size - sizeof(struct bus_header) ||
m->body_size != message_size - sizeof(struct bus_header) - ALIGN8(m->fields_size))
return -EBADMSG; return -EBADMSG;
} }
@ -3061,15 +3064,21 @@ void bus_body_part_unmap(struct bus_body_part *part) {
return; return;
} }
static int buffer_peek(const void *p, uint32_t sz, size_t *rindex, size_t align, size_t nbytes, void **r) { static int buffer_peek(const void *p, size_t sz, size_t *rindex, size_t align, size_t nbytes, void **r) {
size_t k, start, end; size_t k, start, end;
assert(rindex); assert(rindex);
assert(align > 0); assert(align > 0);
start = ALIGN_TO((size_t) *rindex, align); start = ALIGN_TO(*rindex, align);
end = start + nbytes; if (start > sz)
return -EBADMSG;
/* Avoid overflow below */
if (nbytes > SIZE_MAX - start)
return -EBADMSG;
end = start + nbytes;
if (end > sz) if (end > sz)
return -EBADMSG; return -EBADMSG;
@ -3272,10 +3281,17 @@ static int message_peek_body(
assert(rindex); assert(rindex);
assert(align > 0); assert(align > 0);
start = ALIGN_TO((size_t) *rindex, align); start = ALIGN_TO(*rindex, align);
padding = start - *rindex; if (start > m->user_body_size)
end = start + nbytes; return -EBADMSG;
padding = start - *rindex;
/* Avoid overflow below */
if (nbytes > SIZE_MAX - start)
return -EBADMSG;
end = start + nbytes;
if (end > m->user_body_size) if (end > m->user_body_size)
return -EBADMSG; return -EBADMSG;

Binary file not shown.

Binary file not shown.

Binary file not shown.