From 6519a1f77c61d753d4c97efd6e15630eb275336e Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Fri, 10 Jun 2011 18:57:42 +0100 Subject: _dbus_header_byteswap: change the first byte of the message, not just the struct member This has been wrong approximately forever, for instance see: http://lists.freedesktop.org/archives/dbus/2007-March/007357.html Bug: https://bugs.freedesktop.org/show_bug.cgi?id=38120 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=629938 Reviewed-by: Will Thompson Backported: from dbus-1.4, c3223ba6c401ba81df1305851312a47c485e6cd7 --- NEWS | 10 ++++++++++ dbus/dbus-marshal-header.c | 6 ++++++ 2 files changed, 16 insertions(+) diff --git a/NEWS b/NEWS index 3bee8c40..be5c0144 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,13 @@ +D-Bus 1.2.28 (UNRELEASED) +== + +• Byte-swap foreign-endian messages correctly, preventing a long-standing + local DoS if foreign-endian messages are relayed through the dbus-daemon + (fd.o #38120, Debian #629938, no CVE number yet; Simon McVittie) + +• Use AC_TRY_COMPILE in configure to avoid a symlink attack in /tmp + during compilation + D-Bus 1.2.26 (21 December 2010) == diff --git a/dbus/dbus-marshal-header.c b/dbus/dbus-marshal-header.c index ec98a5ee..896e3ce1 100644 --- a/dbus/dbus-marshal-header.c +++ b/dbus/dbus-marshal-header.c @@ -1462,14 +1462,20 @@ void _dbus_header_byteswap (DBusHeader *header, int new_order) { + unsigned char byte_order; + if (header->byte_order == new_order) return; + byte_order = _dbus_string_get_byte (&header->data, BYTE_ORDER_OFFSET); + _dbus_assert (header->byte_order == byte_order); + _dbus_marshal_byteswap (&_dbus_header_signature_str, 0, header->byte_order, new_order, &header->data, 0); + _dbus_string_set_byte (&header->data, BYTE_ORDER_OFFSET, new_order); header->byte_order = new_order; } -- cgit v1.2.3