diff options
author | Simon McVittie <simon.mcvittie@collabora.co.uk> | 2011-06-10 18:57:42 +0100 |
---|---|---|
committer | Simon McVittie <simon.mcvittie@collabora.co.uk> | 2011-06-10 18:57:42 +0100 |
commit | 6519a1f77c61d753d4c97efd6e15630eb275336e (patch) | |
tree | 816d13406ac63588c20a544a5b4615ae091bb9b2 | |
parent | 4df3e187b482a2bf2230c36c4b1c7bc4d439d51a (diff) |
_dbus_header_byteswap: change the first byte of the message, not just the struct member
This has been wrong approximately forever, for instance see:
http://lists.freedesktop.org/archives/dbus/2007-March/007357.html
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=38120
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=629938
Reviewed-by: Will Thompson <will.thompson@collabora.co.uk>
Backported: from dbus-1.4, c3223ba6c401ba81df1305851312a47c485e6cd7
-rw-r--r-- | NEWS | 10 | ||||
-rw-r--r-- | dbus/dbus-marshal-header.c | 6 |
2 files changed, 16 insertions, 0 deletions
@@ -1,3 +1,13 @@ +D-Bus 1.2.28 (UNRELEASED) +== + +• Byte-swap foreign-endian messages correctly, preventing a long-standing + local DoS if foreign-endian messages are relayed through the dbus-daemon + (fd.o #38120, Debian #629938, no CVE number yet; Simon McVittie) + +• Use AC_TRY_COMPILE in configure to avoid a symlink attack in /tmp + during compilation + D-Bus 1.2.26 (21 December 2010) == diff --git a/dbus/dbus-marshal-header.c b/dbus/dbus-marshal-header.c index ec98a5ee..896e3ce1 100644 --- a/dbus/dbus-marshal-header.c +++ b/dbus/dbus-marshal-header.c @@ -1462,14 +1462,20 @@ void _dbus_header_byteswap (DBusHeader *header, int new_order) { + unsigned char byte_order; + if (header->byte_order == new_order) return; + byte_order = _dbus_string_get_byte (&header->data, BYTE_ORDER_OFFSET); + _dbus_assert (header->byte_order == byte_order); + _dbus_marshal_byteswap (&_dbus_header_signature_str, 0, header->byte_order, new_order, &header->data, 0); + _dbus_string_set_byte (&header->data, BYTE_ORDER_OFFSET, new_order); header->byte_order = new_order; } |