[systemd-devel] [PATCH] sd-bus: fix potential UB in bus_socket_auth_verify_client()

Wed May 13 15:16:28 PDT 2015

When built with GCC undefined behaviour sanitizer the following problem
surfaces:

src/libsystemd/sd-bus/bus-socket.c:180:11: runtime error: null pointer
passed as argument 1, which is declared to never be null

Indeed, calling memmem where b->rbuffer == NULL is undefined behaviour.

Fix that by returning if rbuffer is null or rbuffer_size < 2
---
 src/libsystemd/sd-bus/bus-socket.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/libsystemd/sd-bus/bus-socket.c b/src/libsystemd/sd-bus/bus-socket.c
index 94a5c04..6463f7c 100644
--- a/src/libsystemd/sd-bus/bus-socket.c
+++ b/src/libsystemd/sd-bus/bus-socket.c
@@ -177,6 +177,9 @@ static int bus_socket_auth_verify_client(sd_bus *b) {
         /* We expect two response lines: "OK" and possibly
          * "AGREE_UNIX_FD" */
 
+        if(!b->rbuffer || b->rbuffer_size < 2)
+                return 0;
+
         e = memmem(b->rbuffer, b->rbuffer_size, "\r\n", 2);
         if (!e)
                 return 0;
-- 
2.3.7

