summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSimon McVittie <simon.mcvittie@collabora.co.uk>2014-06-11 12:24:20 +0100
committerSimon McVittie <simon.mcvittie@collabora.co.uk>2014-06-30 14:04:32 +0100
commit07f4c12efe3b9bd45d109bc5fbaf6d9dbf69d78e (patch)
treec7fb90974297a036bd6344f2934546624c42d38b
parent019d19214326115bfb53401db3023fe31caa280f (diff)
If loader contains two messages with fds, don't corrupt the second
There were two bugs here: we would previously overwrite the unused fds with the already-used fds instead of the other way round, and we would copy n bytes where we should have copied n ints. Additionally, sending crafted messages in a chosen sequence to a victim system service could cause an invalid file descriptor to be present when dbus-daemon tries to forward one of those crafted messages to the victim, causing sendmsg() to fail with EBADF, which resulted in disconnecting the victim service, which would likely respond to that by exiting. This is a denial of service (fd.o #80469, CVE-2014-3533). Bug: https://bugs.freedesktop.org/show_bug.cgi?id=79694 Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80469 Reviewed-by: Alban Crequy <alban.crequy@collabora.co.uk>
-rw-r--r--dbus/dbus-message.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/dbus/dbus-message.c b/dbus/dbus-message.c
index c6953d02..78df7558 100644
--- a/dbus/dbus-message.c
+++ b/dbus/dbus-message.c
@@ -4204,7 +4204,7 @@ load_message (DBusMessageLoader *loader,
message->n_unix_fds_allocated = message->n_unix_fds = n_unix_fds;
loader->n_unix_fds -= n_unix_fds;
- memmove(loader->unix_fds + n_unix_fds, loader->unix_fds, loader->n_unix_fds);
+ memmove (loader->unix_fds, loader->unix_fds + n_unix_fds, loader->n_unix_fds * sizeof (loader->unix_fds[0]));
}
else
message->unix_fds = NULL;