CVE-2022-42010: dbus-daemon crashes when receiving message with incorrectly nested parentheses and curly brackets
@evverx discovered that dbus-daemon and other uses of DBusServer can be crashed by sending a message containing a type-signature in which parentheses (()
, struct/tuple) and curly brackets ({}
, dict-entry) are incorrectly nested.
This was originally reported in a comment on #413, but it is not really related to #413 (closed), except that they are both denial-of-service vulnerabilities.
Here is a hex-dump of a reproducer that @evverx provided:
$ xxd -ps minimized-from-e1f55a417825f05084b88a0aae8525e0fbb07075
6c8f2801000000007b22000818000000fd152874617b79617b64617b7961
7b7961717d7d7d297d0000000000000000000c0000000000000000000000
00000000feff0000
which contains invalid signature (ta{ya{da{ya{yaq}}})}
. A more minimal reproducer would be (a{xy)}
.