Bug in dbus-sysdeps-unix.c in DBUS 1.2.4

Schmottlach, Glenn GSchmott at harmanbecker.com
Wed Nov 12 08:19:19 PST 2008

I stumbled across this bug in dbus/dbus-sysdeps-unix.c while porting
DBus to QNX where only LOCAL_CREDS are supported for domain sockets. In
particular, in the function dbus_read_credentials_socket()  (@ line
~1218) the code tries to verify that the size of the received
credentials structure is the expected size. Unfortunately, for
LOCAL_CREDS, this is computed incorrectly:





#if defined(HAVE_CMSGCRED) || defined(LOCAL_CREDS)

  if ( cmsg.hdr.cmsg_len < sizeof(cmsg) || cmsg.hdr.cmsg_type !=


For LOCAL_CREDS, this should actually be computed as follows:





#if defined(HAVE_CMSGCRED) || defined(LOCAL_CREDS)

#if defined(HAVE_CMSGCRED)

  if ( cmsg.hdr.cmsg_len < sizeof(cmsg) || cmsg.hdr.cmsg_type !=


  if ( (cmsg.hdr.cmsg_len < (sizeof(cmsg.hdr) + SOCKCREDSIZE(0))) ||
(cmsg.hdr.cmsg_type != SCM_CREDS) )



Running the dbus-daemon as root that has no (zero) supplemental groups,
a simple sizeof(cmsg) is not correct since the sc_groups[1] field of
struct sockcred will NOT be transmitted. Thankfully, the SOCKCREDSIZE
macro in sockets.h computes the correct size (assuming that at a
minimum, no supplemental groups are encoded in the stream).


Could the DBUS maintainers please review this change, and if correct,
apply it to the development branch.


Thanks. . .

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freedesktop.org/archives/dbus/attachments/20081112/a69b3f01/attachment.html 

More information about the dbus mailing list