message: Fix assertion failure unpacking handle to an out-of-range fd

In the D-Bus wire protocol, the representation of a Unix fd is a simple
integer in the message body (referred to as the "handle" in GDBus)
which acts as an index into the array of out-of-band fds attached to
the message. The libdbus API (and therefore the dbus-python API)
automatically translates handles into fds, but the GDBus API does not,
making it possible for a GDBus sender to send a message containing
handles that are out-of-range for the number of attached fds. The
message bus also does not prevent such messages from being sent.

dbus-python services need to cope with this and fail gracefully while
unpacking the message, rather than crashing with an assertion failure
in UnixFd_tp_new when the fd turns out to be invalid.

Resolves: https://github.com/firewalld/firewalld/issues/985
Signed-off-by: Simon McVittie <smcv@collabora.com>

1 files changed, 8 insertions, 0 deletions

diff --git a/dbus_bindings/message-get-args.c b/dbus_bindings/message-get-args.c
index 6dad272..628a616 100644
--- a/dbus_bindings/message-get-args.c
+++ b/dbus_bindings/message-get-args.c
@@ -307,7 +307,15 @@ _message_iter_get_pyobject(DBusMessageIter *iter,
 #ifdef DBUS_TYPE_UNIX_FD
         case DBUS_TYPE_UNIX_FD:
             DBG("%s", "found an unix fd");
+            /* Note that this can return an invalid fd (less than 0) if the
+             * sender has included an index numerically greater than the
+             * number of fds that were attached out-of-band to the message.
+             * libdbus cannot send messages like this, but GDBus can. */
             dbus_message_iter_get_basic(iter, &u.fd);
+            if (u.fd < 0) {
+                PyErr_Format(PyExc_ValueError, "invalid file descriptor in message");
+                break;
+            }
             args = Py_BuildValue("(i)", u.fd);
             if (args) {
                 ret = PyObject_Call((PyObject *)&DBusPyUnixFd_Type, args,