From 3dec520197e10001438762512c74c78031b1562c Mon Sep 17 00:00:00 2001 From: =?utf8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Sat, 16 Mar 2019 23:39:26 +0100 Subject: [PATCH] bus: fix memleak on invalid message Introduced in 6d586a13717ae057aa1b4127400c3de61cd5b9e7. Reported by Felix Riemann in https://bugzilla.redhat.com/show_bug.cgi?id=1685286. Reproducer: for i in `seq 1 100`; do gdbus call --session -d org.freedesktop.systemd1 -m org.freedesktop.systemd1.Manager.StartUnit -o "/$(for x in `seq 0 28000`; do echo -n $x; done)" & done --- src/libsystemd/sd-bus/bus-socket.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/libsystemd/sd-bus/bus-socket.c b/src/libsystemd/sd-bus/bus-socket.c index 790b64010a5..4a50b5fad48 100644 --- a/src/libsystemd/sd-bus/bus-socket.c +++ b/src/libsystemd/sd-bus/bus-socket.c @@ -1132,13 +1132,15 @@ static int bus_socket_make_message(sd_bus *bus, size_t size) { bus->fds, bus->n_fds, NULL, &t); - if (r == -EBADMSG) + if (r == -EBADMSG) { log_debug_errno(r, "Received invalid message from connection %s, dropping.", strna(bus->description)); - else if (r < 0) { + free(bus->rbuffer); /* We want to drop current rbuffer and proceed with whatever remains in b */ + } else if (r < 0) { free(b); return r; } + /* rbuffer ownership was either transferred to t, or we got EBADMSG and dropped it. */ bus->rbuffer = b; bus->rbuffer_size -= size; -- 2.39.2