88 lines
3.2 KiB
Diff
88 lines
3.2 KiB
Diff
From 871bb5457c5951870d447f53c976a1a1f2dac85d Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
|
Date: Fri, 3 Aug 2018 14:46:57 +0200
|
|
Subject: [PATCH] bus-message: fix calculation of offsets table for arrays
|
|
|
|
This is similar to the grandparent commit 'fix calculation of offsets table',
|
|
except that now the change is for array elements. Same story as before: we need
|
|
to make sure that the offsets increase enough taking alignment into account.
|
|
|
|
While at it, rename 'p' to 'previous' to match similar code in other places.
|
|
|
|
(cherry picked from commit f88214cf9d66c93f4d22c4c8980de9ee3ff45bab)
|
|
|
|
Resolves: #1696224
|
|
---
|
|
src/libsystemd/sd-bus/bus-message.c | 17 ++++++++++++-----
|
|
...sh-d8f3941c74219b4c03532c9b244d5ea539c61af5 | Bin 0 -> 41 bytes
|
|
2 files changed, 12 insertions(+), 5 deletions(-)
|
|
create mode 100644 test/fuzz/fuzz-bus-message/crash-d8f3941c74219b4c03532c9b244d5ea539c61af5
|
|
|
|
diff --git a/src/libsystemd/sd-bus/bus-message.c b/src/libsystemd/sd-bus/bus-message.c
|
|
index c8f7937102..ac823aaf58 100644
|
|
--- a/src/libsystemd/sd-bus/bus-message.c
|
|
+++ b/src/libsystemd/sd-bus/bus-message.c
|
|
@@ -3532,7 +3532,7 @@ static int bus_message_enter_array(
|
|
|
|
size_t rindex;
|
|
void *q;
|
|
- int r, alignment;
|
|
+ int r;
|
|
|
|
assert(m);
|
|
assert(c);
|
|
@@ -3558,6 +3558,7 @@ static int bus_message_enter_array(
|
|
|
|
if (!BUS_MESSAGE_IS_GVARIANT(m)) {
|
|
/* dbus1 */
|
|
+ int alignment;
|
|
|
|
r = message_peek_body(m, &rindex, 4, 4, &q);
|
|
if (r < 0)
|
|
@@ -3591,7 +3592,8 @@ static int bus_message_enter_array(
|
|
*n_offsets = 0;
|
|
|
|
} else {
|
|
- size_t where, p = 0, framing, sz;
|
|
+ size_t where, previous = 0, framing, sz;
|
|
+ int alignment;
|
|
unsigned i;
|
|
|
|
/* gvariant: variable length array */
|
|
@@ -3619,17 +3621,22 @@ static int bus_message_enter_array(
|
|
if (!*offsets)
|
|
return -ENOMEM;
|
|
|
|
+ alignment = bus_gvariant_get_alignment(c->signature);
|
|
+ assert(alignment > 0);
|
|
+
|
|
for (i = 0; i < *n_offsets; i++) {
|
|
- size_t x;
|
|
+ size_t x, start;
|
|
+
|
|
+ start = ALIGN_TO(previous, alignment);
|
|
|
|
x = bus_gvariant_read_word_le((uint8_t*) q + i * sz, sz);
|
|
if (x > c->item_size - sz)
|
|
return -EBADMSG;
|
|
- if (x < p)
|
|
+ if (x < start)
|
|
return -EBADMSG;
|
|
|
|
(*offsets)[i] = rindex + x;
|
|
- p = x;
|
|
+ previous = x;
|
|
}
|
|
|
|
*item_size = (*offsets)[0] - rindex;
|
|
diff --git a/test/fuzz/fuzz-bus-message/crash-d8f3941c74219b4c03532c9b244d5ea539c61af5 b/test/fuzz/fuzz-bus-message/crash-d8f3941c74219b4c03532c9b244d5ea539c61af5
|
|
new file mode 100644
|
|
index 0000000000000000000000000000000000000000..26262e1149825a114a89bf9cee5aeca0be463984
|
|
GIT binary patch
|
|
literal 41
|
|
rcmd1#|DTC5gMmSS0SHWtIT#p03<d^9CI$wL#Kgo*AWlro&=ddwoTCSm
|
|
|
|
literal 0
|
|
HcmV?d00001
|
|
|