bus-message: validate signature in gvariant messages

author Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>

Thu, 11 Apr 2019 12:01:38 +0000 (14:01 +0200)

committer Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>

Thu, 11 Apr 2019 12:01:38 +0000 (14:01 +0200)
author Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Thu, 11 Apr 2019 12:01:38 +0000 (14:01 +0200)
committer Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Thu, 11 Apr 2019 12:01:38 +0000 (14:01 +0200)
diff --git a/src/libsystemd/sd-bus/bus-message.c b/src/libsystemd/sd-bus/bus-message.c

index 11c4648f9111c1cd3a3a28b7a3c7228c399fda2b..a2464e1a46bcc932581de53ef986756ca1ab04aa 100644 (file)
--- a/src/libsystemd/sd-bus/bus-message.c
+++ b/src/libsystemd/sd-bus/bus-message.c
@@ -5152,7 +5152,7 @@ int bus_message_parse_fields(sd_bus_message *m) {
                                  return -EBADMSG;
  
                          if (*p == 0) {
-                                char *k;
+                                _cleanup_free_ char *k = NULL;
                                  size_t l;
  
                                  /* We found the beginning of the signature
@@ -5170,6 +5170,9 @@ int bus_message_parse_fields(sd_bus_message *m) {
                                  if (!k)
                                          return -ENOMEM;
  
+                                if (!signature_is_valid(k, true))
+                                        return -EBADMSG;
+
                                  free_and_replace(m->root_container.signature, k);
                                  break;
                          }
diff --git a/test/fuzz/fuzz-bus-message/oss-fuzz-14016 b/test/fuzz/fuzz-bus-message/oss-fuzz-14016

new file mode 100644 (file)

index 0000000..c82d1ba

Binary files /dev/null and b/test/fuzz/fuzz-bus-message/oss-fuzz-14016 differ
author	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
	Thu, 11 Apr 2019 12:01:38 +0000 (14:01 +0200)
committer	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
	Thu, 11 Apr 2019 12:01:38 +0000 (14:01 +0200)
src/libsystemd/sd-bus/bus-message.c		patch \| blob \| blame \| history
test/fuzz/fuzz-bus-message/oss-fuzz-14016	[new file with mode: 0644]	patch \| blob