core: enforce a limit on STATUS= texts recvd from services

Let's better be safe than sorry, and put a limit on what we receive.

(cherry picked from commit 3eac1bcae9284fb8b18f4b82156c0e85ddb004e5)

Related: CVE-2018-15686

diff --git a/src/core/service.c b/src/core/service.c
index db1356c4173483bfb400a9693de07c281a9ed6c0..db17221888b949d9967a8c8fc45022b4ff1f9e1e 100644 (file)
--- a/src/core/service.c
+++ b/src/core/service.c
@@ -3549,8 +3549,12 @@ static void service_notify_message(
                 _cleanup_free_ char *t = NULL;
 
                 if (!isempty(e)) {
-                        if (!utf8_is_valid(e))
-                                log_unit_warning(u, "Status message in notification message is not UTF-8 clean.");
+                        /* Note that this size limit check is mostly paranoia: since the datagram size we are willing
+                         * to process is already limited to NOTIFY_BUFFER_MAX, this limit here should never be hit. */
+                        if (strlen(e) > STATUS_TEXT_MAX)
+                                log_unit_warning(u, "Status message overly long (%zu > %u), ignoring.", strlen(e), STATUS_TEXT_MAX);
+                        else if (!utf8_is_valid(e))
+                                log_unit_warning(u, "Status message in notification message is not UTF-8 clean, ignoring.");
                         else {
                                 t = strdup(e);
                                 if (!t)

diff --git a/src/core/service.h b/src/core/service.h
index 9c06e91883b72ca1cdce04fc07f58a0d35e1d312..a142b09f0d6412ca64ee7bc97251ce744880e3b6 100644 (file)
--- a/src/core/service.h
+++ b/src/core/service.h
@@ -202,3 +202,5 @@ const char* service_result_to_string(ServiceResult i) _const_;
 ServiceResult service_result_from_string(const char *s) _pure_;
 
 DEFINE_CAST(SERVICE, Service);
+
+#define STATUS_TEXT_MAX (16U*1024U)