Commit 079bbf16 authored by Simon McVittie's avatar Simon McVittie
Browse files

dbus-marshal-validate: Validate length of arrays of fixed-length items

This fast-path previously did not check that the array was made up
of an integer number of items. This could lead to assertion failures
and out-of-bounds accesses during subsequent message processing (which
assumes that the message has already been validated), particularly after
the addition of _dbus_header_remove_unknown_fields(), which makes it
more likely that dbus-daemon will apply non-trivial edits to messages.

Thanks: Evgeny Vereshchagin
Fixes: e61f13cf "Bug 18064 - more efficient validation for fixed-size type arrays"
Resolves: #413
Resolves: CVE-2022

-42011
Signed-off-by: Simon McVittie's avatarSimon McVittie <smcv@collabora.com>
parent 67800ac5
......@@ -503,13 +503,24 @@ validate_body_helper (DBusTypeReader *reader,
*/
if (dbus_type_is_fixed (array_elem_type))
{
/* Note that fixed-size types all have sizes equal to
* their alignments, so this is really the item size. */
alignment = _dbus_type_get_alignment (array_elem_type);
_dbus_assert (alignment == 1 || alignment == 2 ||
alignment == 4 || alignment == 8);
/* Because the alignment is a power of 2, this is
* equivalent to: (claimed_len % alignment) != 0,
* but avoids slower integer division */
if ((claimed_len & (alignment - 1)) != 0)
return DBUS_INVALID_ARRAY_LENGTH_INCORRECT;
/* bools need to be handled differently, because they can
* have an invalid value
*/
if (array_elem_type == DBUS_TYPE_BOOLEAN)
{
dbus_uint32_t v;
alignment = _dbus_type_get_alignment (array_elem_type);
while (p < array_end)
{
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment