_cleanup_free_ sd_bus_message *m = NULL;
struct bus_header *h;
- size_t a, label_sz;
+ size_t a, label_sz = 0; /* avoid false maybe-uninitialized warning */
assert(bus);
assert(header || header_accessible <= 0);
m->fields_size = BUS_MESSAGE_BSWAP32(m, h->dbus1.fields_size);
m->body_size = BUS_MESSAGE_BSWAP32(m, h->dbus1.body_size);
- if (sizeof(struct bus_header) + ALIGN8(m->fields_size) + m->body_size != message_size)
+ assert(message_size >= sizeof(struct bus_header));
+ if (m->fields_size > message_size - sizeof(struct bus_header) ||
+ ALIGN8(m->fields_size) > message_size - sizeof(struct bus_header) ||
+ m->body_size != message_size - sizeof(struct bus_header) - ALIGN8(m->fields_size))
return -EBADMSG;
}
return;
}
-static int buffer_peek(const void *p, uint32_t sz, size_t *rindex, size_t align, size_t nbytes, void **r) {
+static int buffer_peek(const void *p, size_t sz, size_t *rindex, size_t align, size_t nbytes, void **r) {
size_t k, start, end;
assert(rindex);
assert(align > 0);
- start = ALIGN_TO((size_t) *rindex, align);
- end = start + nbytes;
+ start = ALIGN_TO(*rindex, align);
+ if (start > sz)
+ return -EBADMSG;
+
+ /* Avoid overflow below */
+ if (nbytes > SIZE_MAX - start)
+ return -EBADMSG;
+ end = start + nbytes;
if (end > sz)
return -EBADMSG;
assert(rindex);
assert(align > 0);
- start = ALIGN_TO((size_t) *rindex, align);
+ start = ALIGN_TO(*rindex, align);
+ if (start > m->user_body_size)
+ return -EBADMSG;
+
padding = start - *rindex;
- end = start + nbytes;
+ /* Avoid overflow below */
+ if (nbytes > SIZE_MAX - start)
+ return -EBADMSG;
+
+ end = start + nbytes;
if (end > m->user_body_size)
return -EBADMSG;
projects / thirdparty / systemd.git / commitdiff
