diff options
| author | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2018-08-03 14:46:57 +0200 |
|---|---|---|
| committer | Lukáš Nykrýn <lnykryn@redhat.com> | 2019-05-03 12:50:30 +0200 |
| commit | 871bb5457c5951870d447f53c976a1a1f2dac85d (patch) | |
| tree | ab561f2363b5ec545f5ca7488e0f4229e0a3e63d | |
| parent | fcaaf6f3640c6cac73ba2b3807cde9fd94e0789b (diff) | |
| download | systemd-871bb5457c5951870d447f53c976a1a1f2dac85d.tar.gz | |
bus-message: fix calculation of offsets table for arrays
This is similar to the grandparent commit 'fix calculation of offsets table',
except that now the change is for array elements. Same story as before: we need
to make sure that the offsets increase enough taking alignment into account.
While at it, rename 'p' to 'previous' to match similar code in other places.
(cherry picked from commit f88214cf9d66c93f4d22c4c8980de9ee3ff45bab)
Resolves: #1696224
| -rw-r--r-- | src/libsystemd/sd-bus/bus-message.c | 17 | ||||
| -rw-r--r-- | test/fuzz/fuzz-bus-message/crash-d8f3941c74219b4c03532c9b244d5ea539c61af5 | bin | 0 -> 41 bytes |
2 files changed, 12 insertions, 5 deletions
diff --git a/src/libsystemd/sd-bus/bus-message.c b/src/libsystemd/sd-bus/bus-message.c index c8f7937102..ac823aaf58 100644 --- a/src/libsystemd/sd-bus/bus-message.c +++ b/src/libsystemd/sd-bus/bus-message.c @@ -3532,7 +3532,7 @@ static int bus_message_enter_array( size_t rindex; void *q; - int r, alignment; + int r; assert(m); assert(c); @@ -3558,6 +3558,7 @@ static int bus_message_enter_array( if (!BUS_MESSAGE_IS_GVARIANT(m)) { /* dbus1 */ + int alignment; r = message_peek_body(m, &rindex, 4, 4, &q); if (r < 0) @@ -3591,7 +3592,8 @@ static int bus_message_enter_array( *n_offsets = 0; } else { - size_t where, p = 0, framing, sz; + size_t where, previous = 0, framing, sz; + int alignment; unsigned i; /* gvariant: variable length array */ @@ -3619,17 +3621,22 @@ static int bus_message_enter_array( if (!*offsets) return -ENOMEM; + alignment = bus_gvariant_get_alignment(c->signature); + assert(alignment > 0); + for (i = 0; i < *n_offsets; i++) { - size_t x; + size_t x, start; + + start = ALIGN_TO(previous, alignment); x = bus_gvariant_read_word_le((uint8_t*) q + i * sz, sz); if (x > c->item_size - sz) return -EBADMSG; - if (x < p) + if (x < start) return -EBADMSG; (*offsets)[i] = rindex + x; - p = x; + previous = x; } *item_size = (*offsets)[0] - rindex; diff --git a/test/fuzz/fuzz-bus-message/crash-d8f3941c74219b4c03532c9b244d5ea539c61af5 b/test/fuzz/fuzz-bus-message/crash-d8f3941c74219b4c03532c9b244d5ea539c61af5 Binary files differnew file mode 100644 index 0000000000..26262e1149 --- /dev/null +++ b/test/fuzz/fuzz-bus-message/crash-d8f3941c74219b4c03532c9b244d5ea539c61af5 |