Re: [systemd-devel] [PATCH] bus: fix null pointer dereference
On Sun, 09.11.14 15:41, Ronny Chevalier (chevalier.ro...@gmail.com) wrote: > CID#1237620 > --- > src/libsystemd/sd-bus/bus-message.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/src/libsystemd/sd-bus/bus-message.c > b/src/libsystemd/sd-bus/bus-message.c > index be36d9f..edadacf 100644 > --- a/src/libsystemd/sd-bus/bus-message.c > +++ b/src/libsystemd/sd-bus/bus-message.c > @@ -2048,6 +2048,7 @@ static int bus_message_close_variant(sd_bus_message *m, > struct bus_container *c) > > assert(m); > assert(c); > +assert(c->signature); > > if (!BUS_MESSAGE_IS_GVARIANT(m)) > return 0; > @@ -2174,6 +2175,8 @@ _public_ int > sd_bus_message_close_container(sd_bus_message *m) { > if (c->enclosing != SD_BUS_TYPE_ARRAY) > if (c->signature && c->signature[c->index] != 0) > return -EINVAL; > +if (!c->signature && c->enclosing == SD_BUS_TYPE_VARIANT) > +return -EINVAL; > > m->n_containers--; The letter check is really unnecessary, we don't need to fail in this case. Note that when a container is being put together the signature is known and initialized at the time the container is opened. Hence when a container was successfully opened, we know that we can also close it again with an initialized signature. The only reason why we allow the signature to be NULL in most cases, is that when no container is open, and we hence put together the top-level message object, then we don't know the signature yet, and it grows as elements are added. It's a bit of a weird assymetry in that regard: containers know the signature in advance, but the message itself grows the signature as we go... Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH] bus: fix null pointer dereference
Hi On Sun, Nov 9, 2014 at 3:41 PM, Ronny Chevalier wrote: > CID#1237620 > --- > src/libsystemd/sd-bus/bus-message.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/src/libsystemd/sd-bus/bus-message.c > b/src/libsystemd/sd-bus/bus-message.c > index be36d9f..edadacf 100644 > --- a/src/libsystemd/sd-bus/bus-message.c > +++ b/src/libsystemd/sd-bus/bus-message.c > @@ -2048,6 +2048,7 @@ static int bus_message_close_variant(sd_bus_message *m, > struct bus_container *c) > > assert(m); > assert(c); > +assert(c->signature); > > if (!BUS_MESSAGE_IS_GVARIANT(m)) > return 0; > @@ -2174,6 +2175,8 @@ _public_ int > sd_bus_message_close_container(sd_bus_message *m) { > if (c->enclosing != SD_BUS_TYPE_ARRAY) > if (c->signature && c->signature[c->index] != 0) > return -EINVAL; > +if (!c->signature && c->enclosing == SD_BUS_TYPE_VARIANT) > +return -EINVAL; I think we expect "c->signature" to always be non-NULL. See sd_bus_message_enter_container() and sd_bus_message_open_container(). They call strdup() on the signature unconditionally and I cannot see another place that allocates bus_container objects. I'll leave this to Lennart, as he wrote that code. If c->signature is always non-NULL, we should probably remove the "if (c->signature &&" part in the line above. Thanks David > m->n_containers--; > > -- > 2.1.3 > > ___ > systemd-devel mailing list > systemd-devel@lists.freedesktop.org > http://lists.freedesktop.org/mailman/listinfo/systemd-devel ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] [PATCH] bus: fix null pointer dereference
CID#1237620 --- src/libsystemd/sd-bus/bus-message.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/libsystemd/sd-bus/bus-message.c b/src/libsystemd/sd-bus/bus-message.c index be36d9f..edadacf 100644 --- a/src/libsystemd/sd-bus/bus-message.c +++ b/src/libsystemd/sd-bus/bus-message.c @@ -2048,6 +2048,7 @@ static int bus_message_close_variant(sd_bus_message *m, struct bus_container *c) assert(m); assert(c); +assert(c->signature); if (!BUS_MESSAGE_IS_GVARIANT(m)) return 0; @@ -2174,6 +2175,8 @@ _public_ int sd_bus_message_close_container(sd_bus_message *m) { if (c->enclosing != SD_BUS_TYPE_ARRAY) if (c->signature && c->signature[c->index] != 0) return -EINVAL; +if (!c->signature && c->enclosing == SD_BUS_TYPE_VARIANT) +return -EINVAL; m->n_containers--; -- 2.1.3 ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel