diff options
author | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2018-08-11 08:32:20 +0200 |
---|---|---|
committer | Lukáš Nykrýn <lnykryn@redhat.com> | 2019-05-03 12:50:30 +0200 |
commit | d212765dc94ba25c04e0e9a278586f0e86851e35 (patch) | |
tree | c37441367f64b3d16430e0169f96858821977b20 | |
parent | f6af2bfe4b353b25a61c362c3ada9be06c8f15c9 (diff) | |
download | systemd-d212765dc94ba25c04e0e9a278586f0e86851e35.tar.gz |
bus-message: fix skipping of array fields in !gvariant messages
We copied part of the string into a buffer that was off by two.
If the element signature had length one, we'd copy 0 bytes and crash when
looking at the "first" byte. Otherwise, we would crash because strncpy would
not terminate the string.
(cherry picked from commit 73777ddba5100fe6c0791cd37a91f24a515f3202)
Resolves: #1696224
-rw-r--r-- | src/libsystemd/sd-bus/bus-message.c | 8 | ||||
-rw-r--r-- | test/fuzz/fuzz-bus-message/crash-37449529b1ad867f0c2671fa80aca5d7812a2b70 | bin | 0 -> 534 bytes |
2 files changed, 4 insertions, 4 deletions
diff --git a/src/libsystemd/sd-bus/bus-message.c b/src/libsystemd/sd-bus/bus-message.c index 09e72d89dd..202f1aab30 100644 --- a/src/libsystemd/sd-bus/bus-message.c +++ b/src/libsystemd/sd-bus/bus-message.c @@ -4981,18 +4981,18 @@ static int message_skip_fields( } else if (t == SD_BUS_TYPE_ARRAY) { - r = signature_element_length(*signature+1, &l); + r = signature_element_length(*signature + 1, &l); if (r < 0) return r; assert(l >= 1); { - char sig[l-1], *s; + char sig[l + 1], *s = sig; uint32_t nas; int alignment; - strncpy(sig, *signature + 1, l-1); - s = sig; + strncpy(sig, *signature + 1, l); + sig[l] = '\0'; alignment = bus_type_get_alignment(sig[0]); if (alignment < 0) diff --git a/test/fuzz/fuzz-bus-message/crash-37449529b1ad867f0c2671fa80aca5d7812a2b70 b/test/fuzz/fuzz-bus-message/crash-37449529b1ad867f0c2671fa80aca5d7812a2b70 Binary files differnew file mode 100644 index 0000000000..6a20265a39 --- /dev/null +++ b/test/fuzz/fuzz-bus-message/crash-37449529b1ad867f0c2671fa80aca5d7812a2b70 |