core: enforce a limit on STATUS= texts recvd from services

Let's better be safe than sorry, and put a limit on what we receive.

(cherry picked from commit 3eac1bcae9284fb8b18f4b82156c0e85ddb004e5)

Related: CVE-2018-15686

2 files changed, 8 insertions, 2 deletions

diff --git a/src/core/service.c b/src/core/service.c
index db1356c417..db17221888 100644
--- a/src/core/service.c
+++ b/src/core/service.c
@@ -3549,8 +3549,12 @@ static void service_notify_message(
                 _cleanup_free_ char *t = NULL;
 
                 if (!isempty(e)) {
-                        if (!utf8_is_valid(e))
-                                log_unit_warning(u, "Status message in notification message is not UTF-8 clean.");
+                        /* Note that this size limit check is mostly paranoia: since the datagram size we are willing
+                         * to process is already limited to NOTIFY_BUFFER_MAX, this limit here should never be hit. */
+                        if (strlen(e) > STATUS_TEXT_MAX)
+                                log_unit_warning(u, "Status message overly long (%zu > %u), ignoring.", strlen(e), STATUS_TEXT_MAX);
+                        else if (!utf8_is_valid(e))
+                                log_unit_warning(u, "Status message in notification message is not UTF-8 clean, ignoring.");
                         else {
                                 t = strdup(e);
                                 if (!t)
diff --git a/src/core/service.h b/src/core/service.h
index 9c06e91883..a142b09f0d 100644
--- a/src/core/service.h
+++ b/src/core/service.h
@@ -202,3 +202,5 @@ const char* service_result_to_string(ServiceResult i) _const_;
 ServiceResult service_result_from_string(const char *s) _pure_;
 
 DEFINE_CAST(SERVICE, Service);
+
+#define STATUS_TEXT_MAX (16U*1024U)