bus-message: fix skipping of array fields in !gvariant messages

We copied part of the string into a buffer that was off by two. If the element signature had length one, we'd copy 0 bytes and crash when looking at the "first" byte. Otherwise, we would crash because strncpy would not terminate the string. (cherry picked from commit 73777ddba5100fe6c0791cd37a91f24a515f3202) Resolves: #1696224
author: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> 2018-08-11 08:32:20 +0200
committer: Lukáš Nykrýn <lnykryn@redhat.com> 2019-05-03 12:50:30 +0200
commit: d212765dc94ba25c04e0e9a278586f0e86851e35 (patch)
tree: c37441367f64b3d16430e0169f96858821977b20
parent: f6af2bfe4b353b25a61c362c3ada9be06c8f15c9 (diff)
download: systemd-d212765dc94ba25c04e0e9a278586f0e86851e35.tar.gz
2 files changed, 4 insertions, 4 deletions
diff --git a/src/libsystemd/sd-bus/bus-message.c b/src/libsystemd/sd-bus/bus-message.c
index 09e72d89dd..202f1aab30 100644
--- a/src/libsystemd/sd-bus/bus-message.c
+++ b/src/libsystemd/sd-bus/bus-message.c
@@ -4981,18 +4981,18 @@ static int message_skip_fields(
 
                 } else if (t == SD_BUS_TYPE_ARRAY) {
 
-                        r = signature_element_length(*signature+1, &l);
+                        r = signature_element_length(*signature + 1, &l);
                         if (r < 0)
                                 return r;
 
                         assert(l >= 1);
                         {
-                                char sig[l-1], *s;
+                                char sig[l + 1], *s = sig;
                                 uint32_t nas;
                                 int alignment;
 
-                                strncpy(sig, *signature + 1, l-1);
-                                s = sig;
+                                strncpy(sig, *signature + 1, l);
+                                sig[l] = '\0';
 
                                 alignment = bus_type_get_alignment(sig[0]);
                                 if (alignment < 0)
diff --git a/test/fuzz/fuzz-bus-message/crash-37449529b1ad867f0c2671fa80aca5d7812a2b70 b/test/fuzz/fuzz-bus-message/crash-37449529b1ad867f0c2671fa80aca5d7812a2b70
new file mode 100644
index 0000000000..6a20265a39
--- /dev/null
+++ b/test/fuzz/fuzz-bus-message/crash-37449529b1ad867f0c2671fa80aca5d7812a2b70
author	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>	2018-08-11 08:32:20 +0200
committer	Lukáš Nykrýn <lnykryn@redhat.com>	2019-05-03 12:50:30 +0200
commit	d212765dc94ba25c04e0e9a278586f0e86851e35 (patch)
tree	c37441367f64b3d16430e0169f96858821977b20
parent	f6af2bfe4b353b25a61c362c3ada9be06c8f15c9 (diff)
download	systemd-d212765dc94ba25c04e0e9a278586f0e86851e35.tar.gz