diff options
author | Simon McVittie <smcv@collabora.com> | 2022-09-12 13:14:18 +0100 |
---|---|---|
committer | Simon McVittie <smcv@collabora.com> | 2022-10-05 10:46:15 +0100 |
commit | 3b8a7aff228770f4f7b478db606b10cceacea875 (patch) | |
tree | bf7922397e9611a8e5bb75014516485392d5bc1c | |
parent | 35d12acb0e249fae85221ca8c27c109e7a59c1cc (diff) | |
download | dbus-3b8a7aff228770f4f7b478db606b10cceacea875.tar.gz |
dbus-marshal-validate: Validate length of arrays of fixed-length items
This fast-path previously did not check that the array was made up
of an integer number of items. This could lead to assertion failures
and out-of-bounds accesses during subsequent message processing (which
assumes that the message has already been validated), particularly after
the addition of _dbus_header_remove_unknown_fields(), which makes it
more likely that dbus-daemon will apply non-trivial edits to messages.
Thanks: Evgeny Vereshchagin
Fixes: e61f13cf "Bug 18064 - more efficient validation for fixed-size type arrays"
Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/413
Resolves: CVE-2022-42011
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 079bbf16186e87fb0157adf8951f19864bc2ed69)
(cherry picked from commit b9e6a7523085a2cfceaffca7ba1ab4251f12a984)
-rw-r--r-- | dbus/dbus-marshal-validate.c | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/dbus/dbus-marshal-validate.c b/dbus/dbus-marshal-validate.c index ae68414d..7d0d6cf7 100644 --- a/dbus/dbus-marshal-validate.c +++ b/dbus/dbus-marshal-validate.c @@ -503,13 +503,24 @@ validate_body_helper (DBusTypeReader *reader, */ if (dbus_type_is_fixed (array_elem_type)) { + /* Note that fixed-size types all have sizes equal to + * their alignments, so this is really the item size. */ + alignment = _dbus_type_get_alignment (array_elem_type); + _dbus_assert (alignment == 1 || alignment == 2 || + alignment == 4 || alignment == 8); + + /* Because the alignment is a power of 2, this is + * equivalent to: (claimed_len % alignment) != 0, + * but avoids slower integer division */ + if ((claimed_len & (alignment - 1)) != 0) + return DBUS_INVALID_ARRAY_LENGTH_INCORRECT; + /* bools need to be handled differently, because they can * have an invalid value */ if (array_elem_type == DBUS_TYPE_BOOLEAN) { dbus_uint32_t v; - alignment = _dbus_type_get_alignment (array_elem_type); while (p < array_end) { |