[systemd-devel] [PATCH] kdbus: fix buffer overflow in bus_get_owner_kdbus() function
Daniel Mack
daniel at zonque.org
Fri Oct 10 03:49:18 PDT 2014
On 10/10/2014 12:29 PM, Lukasz Skalski wrote:
> Commit 710fc9779b7c (kdbus repo) introduced attaching items[]
> instead of name[] in kdbus_cmd_conn_info struct. Commit 581fe6c81
> (systemd repo) caught up with this change, but item size was not
> properly calculated.
Thanks for spotting this!
Applied.
>
> ---
> src/libsystemd/sd-bus/bus-control.c | 11 +++++------
> 1 file changed, 5 insertions(+), 6 deletions(-)
>
> diff --git a/src/libsystemd/sd-bus/bus-control.c b/src/libsystemd/sd-bus/bus-control.c
> index dbd94fc..7b106a3 100644
> --- a/src/libsystemd/sd-bus/bus-control.c
> +++ b/src/libsystemd/sd-bus/bus-control.c
> @@ -398,7 +398,7 @@ static int bus_get_owner_kdbus(
> struct kdbus_cmd_conn_info *cmd;
> struct kdbus_conn_info *conn_info;
> struct kdbus_item *item;
> - size_t size;
> + size_t size, l;
> uint64_t m, id;
> int r;
>
> @@ -410,13 +410,12 @@ static int bus_get_owner_kdbus(
> cmd = alloca0_align(size, 8);
> cmd->id = id;
> } else {
> - size_t item_size = KDBUS_ITEM_HEADER_SIZE + strlen(name) + 1;
> -
> - size = offsetof(struct kdbus_cmd_conn_info, items) + item_size;
> + l = strlen(name) + 1;
> + size = offsetof(struct kdbus_cmd_conn_info, items) + KDBUS_ITEM_SIZE(l);
> cmd = alloca0_align(size, 8);
> - cmd->items[0].size = item_size;
> + cmd->items[0].size = KDBUS_ITEM_HEADER_SIZE + l;
> cmd->items[0].type = KDBUS_ITEM_NAME;
> - strcpy(cmd->items[0].str, name);
> + memcpy(cmd->items[0].str, name, l);
> }
>
> cmd->size = size;
>
More information about the systemd-devel
mailing list