diff options
author | Simon McVittie <smcv@collabora.com> | 2022-09-04 21:17:53 +0100 |
---|---|---|
committer | Simon McVittie <smcv@collabora.com> | 2022-09-06 14:52:12 +0100 |
commit | f5e4724a3d7c5727ef5550ab95b3c47e290c1376 (patch) | |
tree | 00f27b1e005a1e76cb61f3bd7768318018db6bb9 | |
parent | bd4e4b0b9598474140d50f5215234307f7a02085 (diff) | |
download | dbus-python-f5e4724a3d7c5727ef5550ab95b3c47e290c1376.tar.gz |
message: Fix assertion failure unpacking handle to an out-of-range fd
In the D-Bus wire protocol, the representation of a Unix fd is a simple
integer in the message body (referred to as the "handle" in GDBus)
which acts as an index into the array of out-of-band fds attached to
the message. The libdbus API (and therefore the dbus-python API)
automatically translates handles into fds, but the GDBus API does not,
making it possible for a GDBus sender to send a message containing
handles that are out-of-range for the number of attached fds. The
message bus also does not prevent such messages from being sent.
dbus-python services need to cope with this and fail gracefully while
unpacking the message, rather than crashing with an assertion failure
in UnixFd_tp_new when the fd turns out to be invalid.
Resolves: https://github.com/firewalld/firewalld/issues/985
Signed-off-by: Simon McVittie <smcv@collabora.com>
-rw-r--r-- | dbus_bindings/message-get-args.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/dbus_bindings/message-get-args.c b/dbus_bindings/message-get-args.c index 6dad272..628a616 100644 --- a/dbus_bindings/message-get-args.c +++ b/dbus_bindings/message-get-args.c @@ -307,7 +307,15 @@ _message_iter_get_pyobject(DBusMessageIter *iter, #ifdef DBUS_TYPE_UNIX_FD case DBUS_TYPE_UNIX_FD: DBG("%s", "found an unix fd"); + /* Note that this can return an invalid fd (less than 0) if the + * sender has included an index numerically greater than the + * number of fds that were attached out-of-band to the message. + * libdbus cannot send messages like this, but GDBus can. */ dbus_message_iter_get_basic(iter, &u.fd); + if (u.fd < 0) { + PyErr_Format(PyExc_ValueError, "invalid file descriptor in message"); + break; + } args = Py_BuildValue("(i)", u.fd); if (args) { ret = PyObject_Call((PyObject *)&DBusPyUnixFd_Type, args, |