Clarifications on the D-Bus specification
hp at pobox.com
Sun Dec 12 18:45:09 PST 2010
I posted patches to the bug that need testing with your exploit and
need a spec patch. My patches assume the max nest depth is 64. Some
code in dbus-message.c breaks if a DBusMessage goes over 255, so I'd
recommend not going over that. But 128 would be pretty easily possible
I used "2 * DBUS_MAXIMUM_TYPE_RECURSION_DEPTH" instead of adding a new
constant to dbus-protocol.h since that was already the max nesting in
a signature if you nested arrays in structs. But maybe it should be a
new constant, especially if it isn't 64.
Someone else will need to pick this up tomorrow and get it pushed, but
I hope my start on it is helpful.
More information about the dbus