[glib/glib-2-70: 3/4] gdbusmessage: Disallow zero-length elements in arrays




commit 48750feaac0aaeffb48e20b3085baa8716369e91
Author: Sebastian Wilhelmi <wilhelmi google com>
Date:   Thu Jan 6 20:57:49 2022 +0000

    gdbusmessage: Disallow zero-length elements in arrays
    
    They are not allowed in the specification, and can lead to infinite
    loops when parsing.
    
    That’s a security issue if your application is accepting D-Bus messages
    from untrusted peers (perhaps in a peer-to-peer connection). It’s not
    exploitable when your application is connected to a bus (such as the
    system or session buses), as the bus daemons (dbus-daemon or
    dbus-broker) filter out such broken messages and don’t forward them.
    
    Arrays of zero-length elements are disallowed in the D-Bus
    specification: https://dbus.freedesktop.org/doc/dbus-specification.html#container-types
    
    oss-fuzz#41428, #41435
    Fixes: #2557

 gio/gdbusmessage.c | 10 ++++++++++
 1 file changed, 10 insertions(+)
---
diff --git a/gio/gdbusmessage.c b/gio/gdbusmessage.c
index 47f81375f..3415ed613 100644
--- a/gio/gdbusmessage.c
+++ b/gio/gdbusmessage.c
@@ -1849,6 +1849,16 @@ parse_value_from_blob (GMemoryBuffer       *buf,
                         }
                       g_variant_builder_add_value (&builder, item);
                       g_variant_unref (item);
+
+                      /* Array elements must not be zero-length. There are no
+                       * valid zero-length serialisations of any types which
+                       * can be array elements in the D-Bus wire format, so this
+                       * assertion should always hold.
+                       *
+                       * See https://gitlab.gnome.org/GNOME/glib/-/issues/2557
+                       */
+                      g_assert (buf->pos > (gsize) offset);
+
                       offset = buf->pos;
                     }
                 }


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]