summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSimon McVittie <simon.mcvittie@collabora.co.uk>2014-06-11 12:24:20 +0100
committerSimon McVittie <simon.mcvittie@collabora.co.uk>2014-06-30 14:18:23 +0100
commitb9c338e32390f953d4c9772daef31187a117b376 (patch)
treeb59474ffe12db5c7cab3547afcfb98782a374311
parent370b2aa04677d447d7b0e63c25397ba8b2193f79 (diff)
If loader contains two messages with fds, don't corrupt the second
There were two bugs here: we would previously overwrite the unused fds with the already-used fds instead of the other way round, and we would copy n bytes where we should have copied n ints. Additionally, sending crafted messages in a chosen sequence to a victim system service could cause an invalid file descriptor to be present when dbus-daemon tries to forward one of those crafted messages to the victim, causing sendmsg() to fail with EBADF, which resulted in disconnecting the victim service, which would likely respond to that by exiting. This is a denial of service (fd.o #80469, CVE-2014-3533). Bug: https://bugs.freedesktop.org/show_bug.cgi?id=79694 Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80469 Reviewed-by: Alban Crequy <alban.crequy@collabora.co.uk>
-rw-r--r--dbus/dbus-message.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/dbus/dbus-message.c b/dbus/dbus-message.c
index a34ea1d1..fc61ae71 100644
--- a/dbus/dbus-message.c
+++ b/dbus/dbus-message.c
@@ -4129,7 +4129,7 @@ load_message (DBusMessageLoader *loader,
message->n_unix_fds_allocated = message->n_unix_fds = n_unix_fds;
loader->n_unix_fds -= n_unix_fds;
- memmove(loader->unix_fds + n_unix_fds, loader->unix_fds, loader->n_unix_fds);
+ memmove (loader->unix_fds, loader->unix_fds + n_unix_fds, loader->n_unix_fds * sizeof (loader->unix_fds[0]));
}
else
message->unix_fds = NULL;