[systemd-devel] [PATCH] bus: fix null pointer dereference
David Herrmann
dh.herrmann at gmail.com
Sun Nov 16 10:49:40 PST 2014
Hi
On Sun, Nov 9, 2014 at 3:41 PM, Ronny Chevalier
<chevalier.ronny at gmail.com> wrote:
> CID#1237620
> ---
> src/libsystemd/sd-bus/bus-message.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/src/libsystemd/sd-bus/bus-message.c b/src/libsystemd/sd-bus/bus-message.c
> index be36d9f..edadacf 100644
> --- a/src/libsystemd/sd-bus/bus-message.c
> +++ b/src/libsystemd/sd-bus/bus-message.c
> @@ -2048,6 +2048,7 @@ static int bus_message_close_variant(sd_bus_message *m, struct bus_container *c)
>
> assert(m);
> assert(c);
> + assert(c->signature);
>
> if (!BUS_MESSAGE_IS_GVARIANT(m))
> return 0;
> @@ -2174,6 +2175,8 @@ _public_ int sd_bus_message_close_container(sd_bus_message *m) {
> if (c->enclosing != SD_BUS_TYPE_ARRAY)
> if (c->signature && c->signature[c->index] != 0)
> return -EINVAL;
> + if (!c->signature && c->enclosing == SD_BUS_TYPE_VARIANT)
> + return -EINVAL;
I think we expect "c->signature" to always be non-NULL. See
sd_bus_message_enter_container() and sd_bus_message_open_container().
They call strdup() on the signature unconditionally and I cannot see
another place that allocates bus_container objects.
I'll leave this to Lennart, as he wrote that code. If c->signature is
always non-NULL, we should probably remove the "if (c->signature &&"
part in the line above.
Thanks
David
> m->n_containers--;
>
> --
> 2.1.3
>
> _______________________________________________
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/systemd-devel
More information about the systemd-devel
mailing list