From: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Date: Sat, 16 Mar 2019 22:39:26 +0000 (+0100)
Subject: bus: fix memleak on invalid message
X-Git-Tag: v242-rc1~114
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3dec520197e10001438762512c74c78031b1562c;p=thirdparty%2Fsystemd.git

bus: fix memleak on invalid message

Introduced in 6d586a13717ae057aa1b4127400c3de61cd5b9e7.
Reported by Felix Riemann in https://bugzilla.redhat.com/show_bug.cgi?id=1685286.

Reproducer:
for i in `seq 1 100`; do gdbus call --session -d org.freedesktop.systemd1 -m org.freedesktop.systemd1.Manager.StartUnit -o "/$(for x in `seq 0 28000`; do echo -n $x; done)" & done
---

diff --git a/src/libsystemd/sd-bus/bus-socket.c b/src/libsystemd/sd-bus/bus-socket.c
index 790b64010a5..4a50b5fad48 100644
--- a/src/libsystemd/sd-bus/bus-socket.c
+++ b/src/libsystemd/sd-bus/bus-socket.c
@@ -1132,13 +1132,15 @@ static int bus_socket_make_message(sd_bus *bus, size_t size) {
                                     bus->fds, bus->n_fds,
                                     NULL,
                                     &t);
-        if (r == -EBADMSG)
+        if (r == -EBADMSG) {
                 log_debug_errno(r, "Received invalid message from connection %s, dropping.", strna(bus->description));
-        else if (r < 0) {
+                free(bus->rbuffer); /* We want to drop current rbuffer and proceed with whatever remains in b */
+        } else if (r < 0) {
                 free(b);
                 return r;
         }
 
+        /* rbuffer ownership was either transferred to t, or we got EBADMSG and dropped it. */
         bus->rbuffer = b;
         bus->rbuffer_size -= size;