config: add new limit: pending_fd_timeout

When a file descriptor is passed to dbus-daemon, the associated D-Bus message
might not be fully sent to dbus-daemon yet. Dbus-daemon keeps the file
descriptor in the DBusMessageLoader of the connection, waiting for the rest of
the message. If the client stops sending the remaining bytes, dbus-daemon will
wait forever and keep that file descriptor.

This patch adds pending_fd_timeout (milliseconds) in the configuration to
disconnect a connection after a timeout when a file descriptor was sent but not
the remaining message.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80559
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Conflicts:
	cmake/bus/dbus-daemon.xml

4 files changed, 15 insertions, 5 deletions

diff --git a/bus/config-parser.c b/bus/config-parser.c
index e4a02628..cc29ef44 100644
--- a/bus/config-parser.c
+++ b/bus/config-parser.c
@@ -413,9 +413,9 @@ bus_config_parser_new (const DBusString      *basedir,
       maximum number of file descriptors we can receive. Picking a
       high value here thus translates directly to more memory
       allocation. */
-      parser->limits.max_incoming_unix_fds = 1024*4;
-      parser->limits.max_outgoing_unix_fds = 1024*4;
-      parser->limits.max_message_unix_fds = 1024;
+      parser->limits.max_incoming_unix_fds = DBUS_DEFAULT_MESSAGE_UNIX_FDS*4;
+      parser->limits.max_outgoing_unix_fds = DBUS_DEFAULT_MESSAGE_UNIX_FDS*4;
+      parser->limits.max_message_unix_fds = DBUS_DEFAULT_MESSAGE_UNIX_FDS;
       
       /* Making this long means the user has to wait longer for an error
        * message if something screws up, but making it too short means
diff --git a/bus/session.conf.in b/bus/session.conf.in
index e121ff93..6ce8503a 100644
--- a/bus/session.conf.in
+++ b/bus/session.conf.in
@@ -49,7 +49,8 @@
   <limit name="max_outgoing_bytes">1000000000</limit>
   <limit name="max_outgoing_unix_fds">250000000</limit>
   <limit name="max_message_size">1000000000</limit>
-  <limit name="max_message_unix_fds">4096</limit>
+  <!-- We do not override max_message_unix_fds here since the in-kernel
+       limit is also relatively low -->
   <limit name="service_start_timeout">120000</limit>  
   <limit name="auth_timeout">240000</limit>
   <limit name="max_completed_connections">100000</limit>  
diff --git a/dbus/dbus-message.c b/dbus/dbus-message.c
index fc61ae71..b0c641ea 100644
--- a/dbus/dbus-message.c
+++ b/dbus/dbus-message.c
@@ -35,6 +35,7 @@
 #include "dbus-list.h"
 #include "dbus-threads-internal.h"
 #ifdef HAVE_UNIX_FD_PASSING
+#include "dbus-sysdeps.h"
 #include "dbus-sysdeps-unix.h"
 #endif
 
@@ -3802,7 +3803,7 @@ _dbus_message_loader_new (void)
   SCM_RIGHTS works we need to preallocate an fd array of the maximum
   number of unix fds we want to receive in advance. A
   try-and-reallocate loop is not possible. */
-  loader->max_message_unix_fds = 1024;
+  loader->max_message_unix_fds = DBUS_DEFAULT_MESSAGE_UNIX_FDS;
 
   if (!_dbus_string_init (&loader->data))
     {
diff --git a/dbus/dbus-sysdeps.h b/dbus/dbus-sysdeps.h
index df4c5e00..64b63635 100644
--- a/dbus/dbus-sysdeps.h
+++ b/dbus/dbus-sysdeps.h
@@ -537,6 +537,14 @@ void _dbus_request_file_descriptor_limit (unsigned int limit);
 const char *
 _dbus_replace_install_prefix (const char *configure_time_path);
 
+/* Do not set this too high: it is a denial-of-service risk.
+ * See <https://bugs.freedesktop.org/show_bug.cgi?id=82820>
+ *
+ * (This needs to be in the non-Unix-specific header so that
+ * the config-parser can use it.)
+ */
+#define DBUS_DEFAULT_MESSAGE_UNIX_FDS 16
+
 /** @} */
 
 DBUS_END_DECLS