connman Digest, Vol 55, Issue 8

[connman-request]

Send connman mailing list submissions to
        connman@lists.01.org

To subscribe or unsubscribe via email, send a message with subject or
body 'help' to
        connman-requ...@lists.01.org

You can reach the person managing the list at
        connman-ow...@lists.01.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of connman digest..."

Today's Topics:

   1. Buffer overflow (jybarne...@gmail.com)


----------------------------------------------------------------------

Date: Fri, 15 May 2020 16:30:55 -0000
From: jybarne...@gmail.com
Subject: Buffer overflow
To: connman@lists.01.org
Message-ID: <20200515163055.2843.11...@ml01.vlan13.01.org>
Content-Type: text/plain; charset="utf-8"

Hi.

I think the format_rule() function has buffer overflow vulnerability.

static void format_rule(struct filter_data *data, char *rule, size_t size)
{
        const char *sender;
        int offset;

        offset = snprintf(rule, size, "type='signal'");
        sender = data->name ? : data->owner;

        if (sender)
                offset += snprintf(rule + offset, size - offset,
                                ",sender='%s'", sender);
        if (data->path)
                offset += snprintf(rule + offset, size - offset,
                                ",path='%s'", data->path);
        if (data->interface)
                offset += snprintf(rule + offset, size - offset,
                                ",interface='%s'", data->interface);
        if (data->member)
                offset += snprintf(rule + offset, size - offset,
                                ",member='%s'", data->member);
        if (data->argument)
                snprintf(rule + offset, size - offset,
                                ",arg0='%s'", data->argument);
}

snprintf returns the number of characters that would have been written if n had 
been sufficiently large.
If the format string is longer than the (size - offset), the snprintf will 
return a value larger than the (size-offset).
In normal cases, DBUS_MAXIMUM_MATCH_RULE_LENGTH(1024) is large, but an attacker 
can make malicious, large-scale inputs.

You can find the function in gdbus/watch.c

Thanks.

------------------------------

Subject: Digest Footer

_______________________________________________
connman mailing list -- connman@lists.01.org
To unsubscribe send an email to connman-le...@lists.01.org


------------------------------

End of connman Digest, Vol 55, Issue 8
**************************************