Clarifications on the D-Bus specification

Rémi Denis-Courmont remi at
Sat Dec 11 10:16:59 PST 2010

Replying to self...

On Friday 10 December 2010, Rémi Denis-Courmont wrote:
> On Fri, 10 Dec 2010 20:52:40 +0100, Thiago Macieira <thiago at> wrote:
> > The other thing is protection against an attack vector -- an exploit
> > by recursion. If the protection is by applying one of the limits,
> > then let's use it.
> The specification does not specify any limits on variant recursion, that I
> can find. So it's not a matter of applying a limit that was not applied
> this far. It's a first matter of adding a new limit to the protocol - if it
> is needed anyhow.

So in fact, the bus daemon does crash with a few tens of thousands of nested 
variants, at least on 386 (tested Debian D-Bus 1.2.24 and Ubuntu D-Bus 1.4.0):

I already filed the issue as FreeDesktop bug #32321.

The issue might also affect other non-libdbus-based implementations but I have 
not tested any of those. It might also affect programs that parse 'any' message 
recursively such as dbus-send, but again I have not tested that.

I should note that I could not convince libdbus to write a deep enough 
message. At about two hundred nested containers, libdbus made the glibc heap 
checks abort - probably a separate bug. If run under valgrind then libdbuds 
'cleanly' failed to write a message with about 400 nested containers.

Rémi Denis-Courmont

More information about the dbus mailing list