_dbus_read_socket_with_unix_fds: do not accept extra fds in cmsg padding - dbus/dbus - a lightweight ipc mechanism (mirrored from https://gitlab.freedesktop.org/dbus/dbus)

diff options

author	Simon McVittie <simon.mcvittie@collabora.co.uk>	2014-09-09 12:44:22 +0100
committer	Simon McVittie <simon.mcvittie@collabora.co.uk>	2014-09-15 19:23:03 +0100
commit	94b8d5e7a85bfb6c9a92b8e22e382b2e0ded2b59 (patch)
tree	5a0225b7d3418161e3cd481a26b9fe7c19cf52d5 /configure.ac
parent	b1e9a2b4bd858b37c0bc02aa102b97530083a703 (diff)

_dbus_read_socket_with_unix_fds: do not accept extra fds in cmsg padding

This addresses CVE-2014-3635. If (*n_fds * sizeof (int) % sizeof (size_t)) is nonzero, then CMSG_SPACE (*n_fds * sizeof (int)) > CMSG_LEN (*n_fds * sizeof (int) because the SPACE includes padding to a size_t boundary, whereas the LEN does not. We have to allocate the SPACE. Previously, we told the kernel that the buffer size we wanted was the SPACE, not the LEN, which meant it was free to fill the padding with additional fds: on a 64-bit platform with 32-bit int, that's one extra fd, if *n_fds happens to be odd. This meant that a malicious sender could send exactly 1 fd too many, which would make us fail an assertion if enabled, or overrun a buffer by 1 fd otherwise. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=83622 Reviewed-by: Alban Crequy <alban.crequy@collabora.co.uk> (cherry picked from commit ee11ec12566afda5dee8a3a834274421a20661de)

Diffstat (limited to 'configure.ac')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: