bus: fix memleak on invalid message

Introduced in 6d586a13717ae057aa1b4127400c3de61cd5b9e7.
Reported by Felix Riemann in https://bugzilla.redhat.com/show_bug.cgi?id=1685286.

Reproducer:
for i in `seq 1 100`; do gdbus call --session -d org.freedesktop.systemd1 -m org.freedesktop.systemd1.Manager.StartUnit -o "/$(for x in `seq 0 28000`; do echo -n $x; done)" & done

diff --git a/src/libsystemd/sd-bus/bus-socket.c b/src/libsystemd/sd-bus/bus-socket.c
index 790b64010a5cf54b45cacf78934a8ce30a284fb9..4a50b5fad484fffd104192ac530976ef219aab5b 100644 (file)
--- a/src/libsystemd/sd-bus/bus-socket.c
+++ b/src/libsystemd/sd-bus/bus-socket.c
@@ -1132,13 +1132,15 @@ static int bus_socket_make_message(sd_bus *bus, size_t size) {
                                     bus->fds, bus->n_fds,
                                     NULL,
                                     &t);
-        if (r == -EBADMSG)
+        if (r == -EBADMSG) {
                 log_debug_errno(r, "Received invalid message from connection %s, dropping.", strna(bus->description));
-        else if (r < 0) {
+                free(bus->rbuffer); /* We want to drop current rbuffer and proceed with whatever remains in b */
+        } else if (r < 0) {
                 free(b);
                 return r;
         }
 
+        /* rbuffer ownership was either transferred to t, or we got EBADMSG and dropped it. */
         bus->rbuffer = b;
         bus->rbuffer_size -= size;