diff options
| author | Alban Crequy <alban.crequy@collabora.co.uk> | 2014-06-24 17:57:14 +0100 |
|---|---|---|
| committer | Simon McVittie <simon.mcvittie@collabora.co.uk> | 2014-06-30 14:18:27 +0100 |
| commit | 8c7176019fbc2e8fee41d93ce82ac2603fe57d67 (patch) | |
| tree | ac05aa38d4151771c3a979e918609971199761d0 /dbus/dbus-sysdeps.c | |
| parent | b9c338e32390f953d4c9772daef31187a117b376 (diff) | |
Handle ETOOMANYREFS when sending recursive fds (SCM_RIGHTS)
Since Linux commit 25888e (from 2.6.37-rc4, Nov 2010), sendmsg() on Unix
sockets returns -1 errno=ETOOMANYREFS ("Too many references: cannot splice")
when the passfd mechanism (SCM_RIGHTS) is "abusively" used recursively by
applications. A malicious client could use this to force a victim system
service to be disconnected from the system bus; the victim would likely
respond by exiting. This is a denial of service (fd.o #80163,
CVE-2014-3532).
This patch silently drops the D-Bus message on ETOOMANYREFS and does not close
the connection.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80163
Reviewed-by: Thiago Macieira <thiago@kde.org>
[altered commit message to explain DoS significance -smcv]
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Diffstat (limited to 'dbus/dbus-sysdeps.c')
| -rw-r--r-- | dbus/dbus-sysdeps.c | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/dbus/dbus-sysdeps.c b/dbus/dbus-sysdeps.c index 04fb8d76..8ed7da97 100644 --- a/dbus/dbus-sysdeps.c +++ b/dbus/dbus-sysdeps.c @@ -760,6 +760,20 @@ _dbus_get_is_errno_epipe (void) } /** + * See if errno is ETOOMANYREFS + * @returns #TRUE if errno == ETOOMANYREFS + */ +dbus_bool_t +_dbus_get_is_errno_etoomanyrefs (void) +{ +#ifdef ETOOMANYREFS + return errno == ETOOMANYREFS; +#else + return FALSE; +#endif +} + +/** * Get error message from errno * @returns _dbus_strerror(errno) */ |