D-Bus daemon endianness issue

Alp Toker alp at atoker.com
Sat Mar 17 02:55:30 PDT 2007 

The libdbus daemon seems to send malformed messages claiming to be 
big-endian but containing little-endian values under certain conditions.

This pseudo-code triggers the bug on my x86 system when the client 
library is made to send big-endian messages:

   Connection bus = Bus.Session;
   bus.AddMatch ("type='method_call'");
   Message msg = bus.ReadMessage ();

The fixed part of the message header returned by dbus-daemon at 
ReadMessage () is:

"B\1\0\1\27\0\0\0\2\0\0\0\217\0\0\0"

You can see the big-endian flag at the start yet the uint values are 
clearly little-endian.

The array of variants keyed by field codes in the header is the same:

"\1\1o\0\25\0\0\0/org/freedesktop/DBus\0\0\0\2\1s\0\24\0\0\0org.freedesktop.DBus\0\0\0\0\3\1s\0\10\0\0\0AddMatch\0\0\0\0\0\0\0\0\6\1s\0\24\0\0\0org.freedesktop.DBus\0\0\0\0\10\1g\0\1s\0\0\7\1s\0\6\0\0\0:1.196\0\0"

For the benefit of those who don't hack D-Bus, this is the managed 
(http://www.ndesk.org/DBusSharp) form of this serialized structure:

   struct Header
   {
     public EndianFlag Endianness;
     public MessageType MessageType;
     public HeaderFlag Flags;
     public byte MajorVersion;
     public uint Length;
     public uint Serial;
     public IDictionary<FieldCode,object> Fields;
   }

The message body is also little-endian:

"\22\0\0\0type=\'method_call\'\0"

Adding match rules for signals works fine though, and the signal 
messages are provided in the endianness in which they were sent. This is 
probably the expected behaviour for the currently broken method_call case.

This is crippling for any dbus-monitor tool that uses network byte order 
on a little-endian system. It may also affect interoperability between 
platforms.

It may be possible not only to crash others' connections to the bus in 
some configurations, but also to use a carefully crafted sequence of 
messages to place applications in an unexpected state. Constructing a 
message with a spoofed body length large enough to cause the client 
library to read the content of the following message comes to mind. The 
content of the following message could be parsed as part of the original 
message given a byte array signature, providing a way to obtain the full 
headers and bodies of arbitrary messages from, say, a forwarding daemon.

More information about the dbus mailing list