bus: add some minimal bounds check on signatures

author Luca Boccassi <bluca@debian.org>

Sun, 16 Jul 2023 00:10:47 +0000 (01:10 +0100)

committer Luca Boccassi <bluca@debian.org>

Sun, 16 Jul 2023 10:32:54 +0000 (11:32 +0100)
author Luca Boccassi <bluca@debian.org>
Sun, 16 Jul 2023 00:10:47 +0000 (01:10 +0100)
committer Luca Boccassi <bluca@debian.org>
Sun, 16 Jul 2023 10:32:54 +0000 (11:32 +0100)
diff --git a/src/busctl/busctl.c b/src/busctl/busctl.c

index 72eed36335110cd9511717c42ebe77e2cffbd1de..c1a0479015c126b7b87081085bdcfb8fa7fda115 100644 (file)
--- a/src/busctl/busctl.c
+++ b/src/busctl/busctl.c
@@ -1627,8 +1627,11 @@ static int message_append_cmdline(sd_bus_message *m, const char *signature, char
                          p--;
  
                          r = signature_element_length(signature, &k);
-                        if (r < 0)
+                        if (r < 0 || k < 2) {
+                                if (r >= 0 && k < 2)
+                                        r = -ERANGE;
                                  return log_error_errno(r, "Invalid struct/dict entry signature: %m");
+                        }
  
                          {
                                  char s[k-1];
diff --git a/src/libsystemd/sd-bus/bus-message.c b/src/libsystemd/sd-bus/bus-message.c

index 3cf1419a14b5b73ee7e729b675ab9b9103dadad1..f1cf6a8cc474efc273992867b2dd245b97097630 100644 (file)
--- a/src/libsystemd/sd-bus/bus-message.c
+++ b/src/libsystemd/sd-bus/bus-message.c
@@ -2027,6 +2027,8 @@ _public_ int sd_bus_message_appendv(
                          r = signature_element_length(t, &k);
                          if (r < 0)
                                  return r;
+                        if (k < 2)
+                                return -ERANGE;
  
                          {
                                  char s[k - 1];
@@ -3470,6 +3472,8 @@ _public_ int sd_bus_message_readv(
                          r = signature_element_length(t, &k);
                          if (r < 0)
                                  return r;
+                        if (k < 2)
+                                return -ERANGE;
  
                          {
                                  char s[k - 1];
@@ -3650,6 +3654,8 @@ _public_ int sd_bus_message_skip(sd_bus_message *m, const char *types) {
                  r = signature_element_length(types, &k);
                  if (r < 0)
                          return r;
+                if (k < 2)
+                        return -ERANGE;
  
                  {
                          char s[k-1];
author	Luca Boccassi <bluca@debian.org>
	Sun, 16 Jul 2023 00:10:47 +0000 (01:10 +0100)
committer	Luca Boccassi <bluca@debian.org>
	Sun, 16 Jul 2023 10:32:54 +0000 (11:32 +0100)
src/busctl/busctl.c		patch \| blob \| blame \| history
src/libsystemd/sd-bus/bus-message.c		patch \| blob \| blame \| history