mirror of
https://github.com/systemd/systemd.git
synced 2024-10-27 10:25:37 +03:00
bus-message: avoid wrap-around when using length read from message
We would read (-1), and then add 1 to it, call message_peek_body(..., 0, ...), and when trying to make use of the data. The fuzzer test case is just for one site, but they all look similar. v2: fix two UINT8_MAX/UINT32_MAX mismatches founds by LGTM
This commit is contained in:
parent
d831fb6f2b
commit
902000c198
@ -3389,6 +3389,10 @@ _public_ int sd_bus_message_read_basic(sd_bus_message *m, char type, void *p) {
|
||||
return r;
|
||||
|
||||
l = BUS_MESSAGE_BSWAP32(m, *(uint32_t*) q);
|
||||
if (l == UINT32_MAX)
|
||||
/* avoid overflow right below */
|
||||
return -EBADMSG;
|
||||
|
||||
r = message_peek_body(m, &rindex, 1, l+1, &q);
|
||||
if (r < 0)
|
||||
return r;
|
||||
@ -3411,6 +3415,10 @@ _public_ int sd_bus_message_read_basic(sd_bus_message *m, char type, void *p) {
|
||||
return r;
|
||||
|
||||
l = *(uint8_t*) q;
|
||||
if (l == UINT8_MAX)
|
||||
/* avoid overflow right below */
|
||||
return -EBADMSG;
|
||||
|
||||
r = message_peek_body(m, &rindex, 1, l+1, &q);
|
||||
if (r < 0)
|
||||
return r;
|
||||
@ -3676,6 +3684,10 @@ static int bus_message_enter_variant(
|
||||
return r;
|
||||
|
||||
l = *(uint8_t*) q;
|
||||
if (l == UINT8_MAX)
|
||||
/* avoid overflow right below */
|
||||
return -EBADMSG;
|
||||
|
||||
r = message_peek_body(m, &rindex, 1, l+1, &q);
|
||||
if (r < 0)
|
||||
return r;
|
||||
@ -4244,6 +4256,10 @@ _public_ int sd_bus_message_peek_type(sd_bus_message *m, char *type, const char
|
||||
return r;
|
||||
|
||||
l = *(uint8_t*) q;
|
||||
if (l == UINT8_MAX)
|
||||
/* avoid overflow right below */
|
||||
return -EBADMSG;
|
||||
|
||||
r = message_peek_body(m, &rindex, 1, l+1, &q);
|
||||
if (r < 0)
|
||||
return r;
|
||||
@ -4826,6 +4842,10 @@ static int message_peek_field_string(
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
if (l == UINT32_MAX)
|
||||
/* avoid overflow right below */
|
||||
return -EBADMSG;
|
||||
|
||||
r = message_peek_fields(m, ri, 1, l+1, &q);
|
||||
if (r < 0)
|
||||
return r;
|
||||
@ -4877,6 +4897,10 @@ static int message_peek_field_signature(
|
||||
return r;
|
||||
|
||||
l = *(uint8_t*) q;
|
||||
if (l == UINT8_MAX)
|
||||
/* avoid overflow right below */
|
||||
return -EBADMSG;
|
||||
|
||||
r = message_peek_fields(m, ri, 1, l+1, &q);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
Binary file not shown.
Loading…
Reference in New Issue
Block a user