diff options
| author | Alban Crequy <alban.crequy@collabora.co.uk> | 2014-07-04 15:05:51 +0100 |
|---|---|---|
| committer | Simon McVittie <simon.mcvittie@collabora.co.uk> | 2014-09-15 12:28:37 +0100 |
| commit | 8ad179a8dad789fc6a5402780044bc0ec3d41115 (patch) | |
| tree | a0aa286cd837e1064acd0da5390824bec0f176f6 /bus/bus.c | |
| parent | 54d26df52b6a394bea175651d1d7ad2ab3f87dea (diff) | |
| download | dbus-8ad179a8dad789fc6a5402780044bc0ec3d41115.tar.gz | |
Stop listening on DBusServer sockets when reaching max_incomplete_connections
This addresses the parts of CVE-2014-3639 not already addressed by
reducing the default authentication timeout.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80851
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80919
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Diffstat (limited to 'bus/bus.c')
| -rw-r--r-- | bus/bus.c | 37 |
1 files changed, 37 insertions, 0 deletions
@@ -39,6 +39,7 @@ #include <dbus/dbus-hash.h> #include <dbus/dbus-credentials.h> #include <dbus/dbus-internals.h> +#include <dbus/dbus-server-protected.h> #ifdef DBUS_CYGWIN #include <signal.h> @@ -68,6 +69,7 @@ struct BusContext unsigned int keep_umask : 1; unsigned int allow_anonymous : 1; unsigned int systemd_activation : 1; + dbus_bool_t watches_enabled; }; static dbus_int32_t server_data_slot = -1; @@ -758,6 +760,8 @@ bus_context_new (const DBusString *config_file, goto failed; } + context->watches_enabled = TRUE; + context->registry = bus_registry_new (context); if (context->registry == NULL) { @@ -1658,3 +1662,36 @@ bus_context_check_security_policy (BusContext *context, _dbus_verbose ("security policy allowing message\n"); return TRUE; } + +void +bus_context_check_all_watches (BusContext *context) +{ + DBusList *link; + dbus_bool_t enabled = TRUE; + + if (bus_connections_get_n_incomplete (context->connections) >= + bus_context_get_max_incomplete_connections (context)) + { + enabled = FALSE; + } + + if (context->watches_enabled == enabled) + return; + + context->watches_enabled = enabled; + + for (link = _dbus_list_get_first_link (&context->servers); + link != NULL; + link = _dbus_list_get_next_link (&context->servers, link)) + { + /* A BusContext might contains several DBusServer (if there are + * several <listen> configuration items) and a DBusServer might + * contain several DBusWatch in its DBusWatchList (if getaddrinfo + * returns several addresses on a dual IPv4-IPv6 stack or if + * systemd passes several fds). + * We want to enable/disable them all. + */ + DBusServer *server = link->data; + _dbus_server_toggle_all_watches (server, enabled); + } +} |