From 73777ddba5100fe6c0791cd37a91f24a515f3202 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Sat, 11 Aug 2018 08:32:20 +0200 Subject: [PATCH] bus-message: fix skipping of array fields in !gvariant messages We copied part of the string into a buffer that was off by two. If the element signature had length one, we'd copy 0 bytes and crash when looking at the "first" byte. Otherwise, we would crash because strncpy would not terminate the string. --- src/libsystemd/sd-bus/bus-message.c | 8 ++++---- ...crash-37449529b1ad867f0c2671fa80aca5d7812a2b70 | Bin 0 -> 534 bytes 2 files changed, 4 insertions(+), 4 deletions(-) create mode 100644 test/fuzz/fuzz-bus-message/crash-37449529b1ad867f0c2671fa80aca5d7812a2b70 diff --git a/src/libsystemd/sd-bus/bus-message.c b/src/libsystemd/sd-bus/bus-message.c index 7fb48cb330c..b1d89fddc4c 100644 --- a/src/libsystemd/sd-bus/bus-message.c +++ b/src/libsystemd/sd-bus/bus-message.c @@ -4958,18 +4958,18 @@ static int message_skip_fields( } else if (t == SD_BUS_TYPE_ARRAY) { - r = signature_element_length(*signature+1, &l); + r = signature_element_length(*signature + 1, &l); if (r < 0) return r; assert(l >= 1); { - char sig[l-1], *s; + char sig[l + 1], *s = sig; uint32_t nas; int alignment; - strncpy(sig, *signature + 1, l-1); - s = sig; + strncpy(sig, *signature + 1, l); + sig[l] = '\0'; alignment = bus_type_get_alignment(sig[0]); if (alignment < 0) diff --git a/test/fuzz/fuzz-bus-message/crash-37449529b1ad867f0c2671fa80aca5d7812a2b70 b/test/fuzz/fuzz-bus-message/crash-37449529b1ad867f0c2671fa80aca5d7812a2b70 new file mode 100644 index 0000000000000000000000000000000000000000..6a20265a39e1b4a318b50aee2b13727ddc4113bf GIT binary patch literal 534 zc-qThWMHggWMD`aVqj=xU|>*W&P&W-;Q0Fg|9=J$VCMu=489PGAyE!Ob3yq)tqgiV z%v=N{Kyu8C#SF|qIxRmRtbi5BX9d#bi8(3x3>*xc%nYO%43bMs1oMr+{KT}9R9e|a ePw&yeCs+eBUlSz60b(i?mlS2@r86J_uyFu;dn%^@ literal 0 Hc-jL100001 -- 2.47.3