Merge pull request #12279 from keszybz/sd-bus-long-signatures

sd-bus: properly handle messages with overlong signatures

diff --git a/src/libsystemd/sd-bus/bus-internal.c b/src/libsystemd/sd-bus/bus-internal.c
index 598b7f110c7365a458a6bc39584a6b7408d2b81e..dff39cb13fec51b1b6005182187f8227571c5d2c 100644 (file)
--- a/src/libsystemd/sd-bus/bus-internal.c
+++ b/src/libsystemd/sd-bus/bus-internal.c
@@ -97,7 +97,7 @@ bool interface_name_is_valid(const char *p) {
                         dot = false;
                 }
 
-        if (q - p > 255)
+        if (q - p > SD_BUS_MAXIMUM_NAME_LENGTH)
                 return false;
 
         if (dot)
@@ -139,7 +139,7 @@ bool service_name_is_valid(const char *p) {
                         dot = false;
                 }
 
-        if (q - p > 255)
+        if (q - p > SD_BUS_MAXIMUM_NAME_LENGTH)
                 return false;
 
         if (dot)
@@ -170,7 +170,7 @@ bool member_name_is_valid(const char *p) {
                         return false;
         }
 
-        if (q - p > 255)
+        if (q - p > SD_BUS_MAXIMUM_NAME_LENGTH)
                 return false;
 
         return true;

diff --git a/src/libsystemd/sd-bus/bus-message.c b/src/libsystemd/sd-bus/bus-message.c
index 11c4648f9111c1cd3a3a28b7a3c7228c399fda2b..427d42f2969097b1b779414de8ce1877e7ae904b 100644 (file)
--- a/src/libsystemd/sd-bus/bus-message.c
+++ b/src/libsystemd/sd-bus/bus-message.c
@@ -284,7 +284,7 @@ static int message_append_field_signature(
         /* dbus1 doesn't allow signatures over 8bit, let's enforce
          * this globally, to not risk convertability */
         l = strlen(s);
-        if (l > 255)
+        if (l > SD_BUS_MAXIMUM_SIGNATURE_LENGTH)
                 return -EINVAL;
 
         /* Signature "(yv)" where the variant contains "g" */
@@ -5152,7 +5152,7 @@ int bus_message_parse_fields(sd_bus_message *m) {
                                 return -EBADMSG;
 
                         if (*p == 0) {
-                                char *k;
+                                _cleanup_free_ char *k = NULL;
                                 size_t l;
 
                                 /* We found the beginning of the signature
@@ -5170,6 +5170,9 @@ int bus_message_parse_fields(sd_bus_message *m) {
                                 if (!k)
                                         return -ENOMEM;
 
+                                if (!signature_is_valid(k, true))
+                                        return -EBADMSG;
+
                                 free_and_replace(m->root_container.signature, k);
                                 break;
                         }

diff --git a/src/libsystemd/sd-bus/bus-signature.c b/src/libsystemd/sd-bus/bus-signature.c
index 1ecd6e8b7efd7e8b95ca23da329cc23da5a82ddd..b420ba3688d096ac60e1f5e4f8d3a2513cc0bfcf 100644 (file)
--- a/src/libsystemd/sd-bus/bus-signature.c
+++ b/src/libsystemd/sd-bus/bus-signature.c
@@ -144,5 +144,5 @@ bool signature_is_valid(const char *s, bool allow_dict_entry) {
                 p += t;
         }
 
-        return p - s <= 255;
+        return p - s <= SD_BUS_MAXIMUM_SIGNATURE_LENGTH;
 }

diff --git a/src/systemd/sd-bus.h b/src/systemd/sd-bus.h
index 129cc933288c783cc84d4868f52a5936cc225a59..84ceb62dc79c7ef670ca0173bb8f68a4aecb89b2 100644 (file)
--- a/src/systemd/sd-bus.h
+++ b/src/systemd/sd-bus.h
@@ -33,6 +33,12 @@ _SD_BEGIN_DECLARATIONS;
 #define SD_BUS_DEFAULT_USER ((sd_bus *) 2)
 #define SD_BUS_DEFAULT_SYSTEM ((sd_bus *) 3)
 
+/* https://dbus.freedesktop.org/doc/dbus-specification.html#message-protocol-marshaling-signature */
+#define SD_BUS_MAXIMUM_SIGNATURE_LENGTH 255
+
+/* https://dbus.freedesktop.org/doc/dbus-specification.html#message-protocol-names */
+#define SD_BUS_MAXIMUM_NAME_LENGTH 255
+
 /* Types */
 
 typedef struct sd_bus sd_bus;

diff --git a/test/fuzz/fuzz-bus-message/oss-fuzz-14016 b/test/fuzz/fuzz-bus-message/oss-fuzz-14016
new file mode 100644 (file)
index 0000000..c82d1ba
Binary files /dev/null and b/test/fuzz/fuzz-bus-message/oss-fuzz-14016 differ