diff options
author | Simon McVittie <smcv@collabora.com> | 2022-09-30 14:01:05 +0100 |
---|---|---|
committer | Simon McVittie <smcv@collabora.com> | 2022-10-05 10:47:20 +0100 |
commit | f5a174649bd32a29e734b5687524f5677f82c36a (patch) | |
tree | 9ae58a5089ebf43b16a5073f1321e16b4e4e26f3 | |
parent | 5d2b764d1fcbc1992b9fd5e532cd925bd3d69e6b (diff) | |
download | dbus-f5a174649bd32a29e734b5687524f5677f82c36a.tar.gz |
test: Parse a message with a byteswapped Unix fd index
Reproduces: https://gitlab.freedesktop.org/dbus/dbus/-/issues/417
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit bef693f442d854505e7013fd31efe41747d7493c)
[backport to 1.14.x: discard Meson build system updates]
(cherry picked from commit 71dd3ad20cf8aca3310fa8d533801fb1d8bdaf1a)
[backport to 1.12.x: resolve conflicts in Autotools build system]
-rw-r--r-- | test/Makefile.am | 2 | ||||
-rw-r--r-- | test/data/valid-messages/byteswap-fd-index.message-raw | bin | 0 -> 36 bytes | |||
-rw-r--r-- | test/data/valid-messages/byteswap-fd-index.message-raw.hex | 43 | ||||
-rw-r--r-- | test/message.c | 1 |
4 files changed, 46 insertions, 0 deletions
diff --git a/test/Makefile.am b/test/Makefile.am index 99d6485b..3bbf7f73 100644 --- a/test/Makefile.am +++ b/test/Makefile.am @@ -548,6 +548,8 @@ static_data = \ data/valid-config-files-system/many-rules.conf \ data/valid-config-files-system/system.d/test.conf \ data/valid-messages/array-of-array-of-uint32.message \ + data/valid-messages/byteswap-fd-index.message-raw \ + data/valid-messages/byteswap-fd-index.message-raw.hex \ data/valid-messages/dict-simple.message \ data/valid-messages/dict.message \ data/valid-messages/emptiness.message \ diff --git a/test/data/valid-messages/byteswap-fd-index.message-raw b/test/data/valid-messages/byteswap-fd-index.message-raw Binary files differnew file mode 100644 index 00000000..a1724ff8 --- /dev/null +++ b/test/data/valid-messages/byteswap-fd-index.message-raw diff --git a/test/data/valid-messages/byteswap-fd-index.message-raw.hex b/test/data/valid-messages/byteswap-fd-index.message-raw.hex new file mode 100644 index 00000000..f3d0f912 --- /dev/null +++ b/test/data/valid-messages/byteswap-fd-index.message-raw.hex @@ -0,0 +1,43 @@ +# Copyright 2022 Evgeny Vereshchagin +# Copyright 2022 Collabora Ltd. +# SPDX-License-Identifier: MIT +# +# This is an annotated hex-dump of a message originally generated by a +# fuzzer. +# +# To output as binary: +# sed -e 's/#.*//' test/data/invalid-messages/endian.message-raw.hex | +# xxd -p -r - test/data/invalid-messages/endian.message-raw +# +# This message is technically valid, but not practically useful: it +# contains a "handle" for the 4163371528th out-of-band file descriptor, +# which is not a practically useful thing to send, because it exceeds any +# reasonable number of file descriptors to attach to a message. +# +# The message is also in big-endian encoding (the opposite of the encoding +# used by all commonly-used CPU architectures in 2022), which until +# recently would trigger a denial-of-service vulnerability in the dbus +# message marshalling code. + +# Offset % 0x10: +# 0001 0203 0405 0607 0809 0a0b 0c0d 0e0f + + 42 # big-endian + 2d # an undefined message type + 31 # flags + 01 # major protocol version 1 + 0000 000c # message body is 0x0c = 12 bytes + 97bc 9023 # serial number 0x97bc9023 + 0000 0008 # header is an array of 8 bytes of struct (yv) + 08 # header field code 0x08 (signature) + 01 # variant signature is 1 byte + 6700 # "g" \0 + 02 # signature is 2 bytes + 68 7600 # "hv" \0 + # begin message body, 12 bytes + f828 0208 # out-of-band fd, index = 0xf8280208 + 02 # variant signature is 2 bytes + 61 7600 # "av" \0 + 0000 0000 # array length is 0 + +#sha1 f99a286aaaf84d9b97549f35f71042f4a2f37e78 diff --git a/test/message.c b/test/message.c index 887935dd..5204910d 100644 --- a/test/message.c +++ b/test/message.c @@ -512,6 +512,7 @@ add_oom_test (const gchar *name, static const char *valid_messages[] = { + "byteswap-fd-index", "minimal", }; |