Clarifications on the D-Bus specification
Rémi Denis-Courmont
remi at remlab.net
Sat Dec 11 10:16:59 PST 2010
Replying to self...
On Friday 10 December 2010, Rémi Denis-Courmont wrote:
> On Fri, 10 Dec 2010 20:52:40 +0100, Thiago Macieira <thiago at kde.org> wrote:
> > The other thing is protection against an attack vector -- an exploit
> > by recursion. If the protection is by applying one of the limits,
> > then let's use it.
>
> The specification does not specify any limits on variant recursion, that I
> can find. So it's not a matter of applying a limit that was not applied
> this far. It's a first matter of adding a new limit to the protocol - if it
> is needed anyhow.
So in fact, the bus daemon does crash with a few tens of thousands of nested
variants, at least on 386 (tested Debian D-Bus 1.2.24 and Ubuntu D-Bus 1.4.0):
http://www.remlab.net/op/dbus-variant-recursion.shtml
I already filed the issue as FreeDesktop bug #32321.
The issue might also affect other non-libdbus-based implementations but I have
not tested any of those. It might also affect programs that parse 'any' message
recursively such as dbus-send, but again I have not tested that.
I should note that I could not convince libdbus to write a deep enough
message. At about two hundred nested containers, libdbus made the glibc heap
checks abort - probably a separate bug. If run under valgrind then libdbuds
'cleanly' failed to write a message with about 400 nested containers.
--
Rémi Denis-Courmont
http://www.remlab.net/
More information about the dbus
mailing list