test: Parse a message with a byteswapped Unix fd index

Reproduces: https://gitlab.freedesktop.org/dbus/dbus/-/issues/417
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit bef693f442d854505e7013fd31efe41747d7493c)
[backport to 1.14.x: discard Meson build system updates]

diff --git a/test/Makefile.am b/test/Makefile.am
index de6364afdd94a0058187b01d2c258bbab4738709..5ffc4e00a63313c29b39e2713b70d418ab0c40e1 100644 (file)
--- a/test/Makefile.am
+++ b/test/Makefile.am
@@ -725,6 +725,8 @@ static_data = \
        data/valid-config-files/standard-session-dirs.conf \
        data/valid-config-files-system/many-rules.conf \
        data/valid-config-files-system/system.d/test.conf \
+       data/valid-messages/byteswap-fd-index.message-raw \
+       data/valid-messages/byteswap-fd-index.message-raw.hex \
        data/valid-messages/minimal.message-raw \
        data/valid-messages/minimal.message-raw.hex \
        $(NULL)

diff --git a/test/data/valid-messages/byteswap-fd-index.message-raw b/test/data/valid-messages/byteswap-fd-index.message-raw
new file mode 100644 (file)
index 0000000..a1724ff
Binary files /dev/null and b/test/data/valid-messages/byteswap-fd-index.message-raw differ

diff --git a/test/data/valid-messages/byteswap-fd-index.message-raw.hex b/test/data/valid-messages/byteswap-fd-index.message-raw.hex
new file mode 100644 (file)
index 0000000..f3d0f91
--- /dev/null
+++ b/test/data/valid-messages/byteswap-fd-index.message-raw.hex
@@ -0,0 +1,43 @@
+# Copyright 2022 Evgeny Vereshchagin
+# Copyright 2022 Collabora Ltd.
+# SPDX-License-Identifier: MIT
+#
+# This is an annotated hex-dump of a message originally generated by a
+# fuzzer.
+#
+# To output as binary:
+# sed -e 's/#.*//' test/data/invalid-messages/endian.message-raw.hex |
+# xxd -p -r - test/data/invalid-messages/endian.message-raw
+#
+# This message is technically valid, but not practically useful: it
+# contains a "handle" for the 4163371528th out-of-band file descriptor,
+# which is not a practically useful thing to send, because it exceeds any
+# reasonable number of file descriptors to attach to a message.
+#
+# The message is also in big-endian encoding (the opposite of the encoding
+# used by all commonly-used CPU architectures in 2022), which until
+# recently would trigger a denial-of-service vulnerability in the dbus
+# message marshalling code.
+
+# Offset % 0x10:
+# 0001 0203 0405 0607 0809 0a0b 0c0d 0e0f
+
+  42                                       # big-endian
+    2d                                     # an undefined message type
+       31                                  # flags
+         01                                # major protocol version 1
+            0000 000c                      # message body is 0x0c = 12 bytes
+                      97bc 9023            # serial number 0x97bc9023
+                                0000 0008  # header is an array of 8 bytes of struct (yv)
+  08                                       # header field code 0x08 (signature)
+    01                                     # variant signature is 1 byte
+       6700                                # "g" \0
+            02                             # signature is 2 bytes
+              68 7600                      # "hv" \0
+                                           # begin message body, 12 bytes
+                      f828 0208            # out-of-band fd, index = 0xf8280208
+                                02         # variant signature is 2 bytes
+                                  61 7600  # "av" \0
+  0000 0000                                # array length is 0
+
+#sha1 f99a286aaaf84d9b97549f35f71042f4a2f37e78

diff --git a/test/message.c b/test/message.c
index 58966cb870dbd18dcce87e229d57057d4d366a25..60ef113d9c0fa2248bcf30e838883665c6f8f3f9 100644 (file)
--- a/test/message.c
+++ b/test/message.c
@@ -514,6 +514,7 @@ add_oom_test (const gchar *name,
 
 static const char *valid_messages[] =
 {
+  "byteswap-fd-index",
   "minimal",
 };