diff options
author | Lennart Poettering <lennart@poettering.net> | 2018-10-17 18:37:48 +0200 |
---|---|---|
committer | Lukáš Nykrýn <lnykryn@redhat.com> | 2019-01-17 10:01:12 +0100 |
commit | 6abfec31acae53943896b309db4a09a1cecac9a3 (patch) | |
tree | b708f08bf563bd753b39ee78d7a954bf80db2b4a | |
parent | 55a1c766445750aaefe28bd7bea454f5f1cff9bb (diff) | |
download | systemd-6abfec31acae53943896b309db4a09a1cecac9a3.tar.gz |
core: enforce a limit on STATUS= texts recvd from services
Let's better be safe than sorry, and put a limit on what we receive.
(cherry picked from commit 3eac1bcae9284fb8b18f4b82156c0e85ddb004e5)
Related: CVE-2018-15686
-rw-r--r-- | src/core/service.c | 8 | ||||
-rw-r--r-- | src/core/service.h | 2 |
2 files changed, 8 insertions, 2 deletions
diff --git a/src/core/service.c b/src/core/service.c index db1356c417..db17221888 100644 --- a/src/core/service.c +++ b/src/core/service.c @@ -3549,8 +3549,12 @@ static void service_notify_message( _cleanup_free_ char *t = NULL; if (!isempty(e)) { - if (!utf8_is_valid(e)) - log_unit_warning(u, "Status message in notification message is not UTF-8 clean."); + /* Note that this size limit check is mostly paranoia: since the datagram size we are willing + * to process is already limited to NOTIFY_BUFFER_MAX, this limit here should never be hit. */ + if (strlen(e) > STATUS_TEXT_MAX) + log_unit_warning(u, "Status message overly long (%zu > %u), ignoring.", strlen(e), STATUS_TEXT_MAX); + else if (!utf8_is_valid(e)) + log_unit_warning(u, "Status message in notification message is not UTF-8 clean, ignoring."); else { t = strdup(e); if (!t) diff --git a/src/core/service.h b/src/core/service.h index 9c06e91883..a142b09f0d 100644 --- a/src/core/service.h +++ b/src/core/service.h @@ -202,3 +202,5 @@ const char* service_result_to_string(ServiceResult i) _const_; ServiceResult service_result_from_string(const char *s) _pure_; DEFINE_CAST(SERVICE, Service); + +#define STATUS_TEXT_MAX (16U*1024U) |