[systemd-devel] [PATCH] kdbus: fix buffer overflow in bus_get_owner_kdbus() function

2014-10-10 Thread Lukasz Skalski 
Commit 710fc9779b7c (kdbus repo) introduced attaching items[]
instead of name[] in kdbus_cmd_conn_info struct. Commit 581fe6c81
(systemd repo) caught up with this change, but item size was not
properly calculated.

---
 src/libsystemd/sd-bus/bus-control.c | 11 +--
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/src/libsystemd/sd-bus/bus-control.c 
b/src/libsystemd/sd-bus/bus-control.c
index dbd94fc..7b106a3 100644
--- a/src/libsystemd/sd-bus/bus-control.c
+++ b/src/libsystemd/sd-bus/bus-control.c
@@ -398,7 +398,7 @@ static int bus_get_owner_kdbus(
 struct kdbus_cmd_conn_info *cmd;
 struct kdbus_conn_info *conn_info;
 struct kdbus_item *item;
-size_t size;
+size_t size, l;
 uint64_t m, id;
 int r;
 
@@ -410,13 +410,12 @@ static int bus_get_owner_kdbus(
 cmd = alloca0_align(size, 8);
 cmd-id = id;
 } else {
-size_t item_size = KDBUS_ITEM_HEADER_SIZE + strlen(name) + 1;
-
-size = offsetof(struct kdbus_cmd_conn_info, items) + item_size;
+l = strlen(name) + 1;
+size = offsetof(struct kdbus_cmd_conn_info, items) + 
KDBUS_ITEM_SIZE(l);
 cmd = alloca0_align(size, 8);
-cmd-items[0].size = item_size;
+cmd-items[0].size = KDBUS_ITEM_HEADER_SIZE + l;
 cmd-items[0].type = KDBUS_ITEM_NAME;
-strcpy(cmd-items[0].str, name);
+memcpy(cmd-items[0].str, name, l);
 }
 
 cmd-size = size;
-- 
1.9.3

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] kdbus: fix buffer overflow in bus_get_owner_kdbus() function

2014-10-10 Thread Daniel Mack 
On 10/10/2014 12:29 PM, Lukasz Skalski wrote:
 Commit 710fc9779b7c (kdbus repo) introduced attaching items[]
 instead of name[] in kdbus_cmd_conn_info struct. Commit 581fe6c81
 (systemd repo) caught up with this change, but item size was not
 properly calculated.

Thanks for spotting this!

Applied.


 
 ---
  src/libsystemd/sd-bus/bus-control.c | 11 +--
  1 file changed, 5 insertions(+), 6 deletions(-)
 
 diff --git a/src/libsystemd/sd-bus/bus-control.c 
 b/src/libsystemd/sd-bus/bus-control.c
 index dbd94fc..7b106a3 100644
 --- a/src/libsystemd/sd-bus/bus-control.c
 +++ b/src/libsystemd/sd-bus/bus-control.c
 @@ -398,7 +398,7 @@ static int bus_get_owner_kdbus(
  struct kdbus_cmd_conn_info *cmd;
  struct kdbus_conn_info *conn_info;
  struct kdbus_item *item;
 -size_t size;
 +size_t size, l;
  uint64_t m, id;
  int r;
  
 @@ -410,13 +410,12 @@ static int bus_get_owner_kdbus(
  cmd = alloca0_align(size, 8);
  cmd-id = id;
  } else {
 -size_t item_size = KDBUS_ITEM_HEADER_SIZE + strlen(name) + 1;
 -
 -size = offsetof(struct kdbus_cmd_conn_info, items) + 
 item_size;
 +l = strlen(name) + 1;
 +size = offsetof(struct kdbus_cmd_conn_info, items) + 
 KDBUS_ITEM_SIZE(l);
  cmd = alloca0_align(size, 8);
 -cmd-items[0].size = item_size;
 +cmd-items[0].size = KDBUS_ITEM_HEADER_SIZE + l;
  cmd-items[0].type = KDBUS_ITEM_NAME;
 -strcpy(cmd-items[0].str, name);
 +memcpy(cmd-items[0].str, name, l);
  }
  
  cmd-size = size;
 

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel