From 49c1e1bcf2b482b6de35a4212a06ed1d8c382745 Mon Sep 17 00:00:00 2001 From: Frantisek Sumsal Date: Thu, 30 Apr 2026 14:03:47 +0200 Subject: [PATCH] dbus: limit the number of env variables to something reasonable, vol. 2 Turns out we can utilize this limit at a couple more places, so let's move the previously defined limit constant to env-util.h and use it to guard a couple more D-Bus methods. Also, bump it a bit, given it's meant to be a safety cap that can't be hit in valid scenarios. Follow-up for 7671b43cb88532cce2aa9ad12f777922206d6a42. --- src/basic/env-util.h | 2 ++ src/core/dbus-manager.c | 10 ++++++++++ src/libsystemd/sd-json/json-util.h | 2 -- src/machine/machine-dbus.c | 4 ++++ 4 files changed, 16 insertions(+), 2 deletions(-) diff --git a/src/basic/env-util.h b/src/basic/env-util.h index 28338a1458e..4063517660b 100644 --- a/src/basic/env-util.h +++ b/src/basic/env-util.h @@ -3,6 +3,8 @@ #include "basic-forward.h" +#define ENVIRONMENT_ASSIGNMENTS_MAX 16384U + size_t sc_arg_max(void); bool env_name_is_valid(const char *e); diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c index 37b38c6ae9e..0e93bc723c0 100644 --- a/src/core/dbus-manager.c +++ b/src/core/dbus-manager.c @@ -1892,6 +1892,10 @@ static int method_set_environment(sd_bus_message *message, void *userdata, sd_bu r = sd_bus_message_read_strv(message, &plus); if (r < 0) return r; + + if (strv_length(plus) > ENVIRONMENT_ASSIGNMENTS_MAX) + return sd_bus_error_set(reterr_error, SD_BUS_ERROR_LIMITS_EXCEEDED, + "Too many environment assignments in a single query."); if (!strv_env_is_valid(plus)) return sd_bus_error_set(reterr_error, SD_BUS_ERROR_INVALID_ARGS, "Invalid environment assignments"); @@ -1923,6 +1927,9 @@ static int method_unset_environment(sd_bus_message *message, void *userdata, sd_ if (r < 0) return r; + if (strv_length(minus) > ENVIRONMENT_ASSIGNMENTS_MAX) + return sd_bus_error_set(reterr_error, SD_BUS_ERROR_LIMITS_EXCEEDED, + "Too many environment variable names in a single query."); if (!strv_env_name_or_assignment_is_valid(minus)) return sd_bus_error_set(reterr_error, SD_BUS_ERROR_INVALID_ARGS, "Invalid environment variable names or assignments"); @@ -1959,6 +1966,9 @@ static int method_unset_and_set_environment(sd_bus_message *message, void *userd if (r < 0) return r; + if (strv_length(plus) > ENVIRONMENT_ASSIGNMENTS_MAX || strv_length(minus) > ENVIRONMENT_ASSIGNMENTS_MAX) + return sd_bus_error_set(reterr_error, SD_BUS_ERROR_LIMITS_EXCEEDED, + "Too many environment variable names or assignments in a single query."); if (!strv_env_name_or_assignment_is_valid(minus)) return sd_bus_error_set(reterr_error, SD_BUS_ERROR_INVALID_ARGS, "Invalid environment variable names or assignments"); diff --git a/src/libsystemd/sd-json/json-util.h b/src/libsystemd/sd-json/json-util.h index 34d79d5238a..cea2d368b43 100644 --- a/src/libsystemd/sd-json/json-util.h +++ b/src/libsystemd/sd-json/json-util.h @@ -9,8 +9,6 @@ #include "sd-forward.h" #include "string-util.h" /* IWYU pragma: keep */ -#define ENVIRONMENT_ASSIGNMENTS_MAX 1024U - #define JSON_VARIANT_REPLACE(v, q) \ do { \ typeof(v)* _v = &(v); \ diff --git a/src/machine/machine-dbus.c b/src/machine/machine-dbus.c index a9d15ca5f72..28f64b3c9b6 100644 --- a/src/machine/machine-dbus.c +++ b/src/machine/machine-dbus.c @@ -435,6 +435,10 @@ int bus_machine_method_open_shell(sd_bus_message *message, void *userdata, sd_bu r = sd_bus_message_read_strv(message, &env); if (r < 0) return r; + + if (strv_length(env) > ENVIRONMENT_ASSIGNMENTS_MAX) + return sd_bus_error_set(error, SD_BUS_ERROR_LIMITS_EXCEEDED, + "Too many environment assignments in a single query."); if (!strv_env_is_valid(env)) return sd_bus_error_set(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid environment assignments"); -- 2.47.3