richardphibel / rpms / systemd

Forked from rpms/systemd 2 years ago
Clone
4b8c80
From 90dedb47d2cb060a366d12bf467f03fa20c5ed24 Mon Sep 17 00:00:00 2001
4b8c80
From: Lennart Poettering <lennart@poettering.net>
4b8c80
Date: Thu, 17 Jan 2019 18:14:17 +0100
4b8c80
Subject: [PATCH] sd-bus: reorder bus ref and bus message ref handling
4b8c80
4b8c80
Let's always place handling of these references together, so that all
4b8c80
reference counting during allocation is at a single place.
4b8c80
4b8c80
(cherry picked from commit e593b6a87a335267e5f7238b14683b7f840a01a3)
4b8c80
Related: CVE-2020-1712
4b8c80
---
4b8c80
 src/libsystemd/sd-bus/bus-message.c | 5 +++--
4b8c80
 1 file changed, 3 insertions(+), 2 deletions(-)
4b8c80
4b8c80
diff --git a/src/libsystemd/sd-bus/bus-message.c b/src/libsystemd/sd-bus/bus-message.c
4b8c80
index 53cbd675b7..2ea3c5bba9 100644
4b8c80
--- a/src/libsystemd/sd-bus/bus-message.c
4b8c80
+++ b/src/libsystemd/sd-bus/bus-message.c
4b8c80
@@ -461,7 +461,6 @@ int bus_message_from_header(
4b8c80
         if (!m)
4b8c80
                 return -ENOMEM;
4b8c80
 
4b8c80
-        m->n_ref = 1;
4b8c80
         m->sealed = true;
4b8c80
         m->header = header;
4b8c80
         m->header_accessible = header_accessible;
4b8c80
@@ -515,7 +514,9 @@ int bus_message_from_header(
4b8c80
                 m->creds.mask |= SD_BUS_CREDS_SELINUX_CONTEXT;
4b8c80
         }
4b8c80
 
4b8c80
+        m->n_ref = 1;
4b8c80
         m->bus = sd_bus_ref(bus);
4b8c80
+
4b8c80
         *ret = TAKE_PTR(m);
4b8c80
 
4b8c80
         return 0;
4b8c80
@@ -588,13 +589,13 @@ _public_ int sd_bus_message_new(
4b8c80
                 return -ENOMEM;
4b8c80
 
4b8c80
         t->n_ref = 1;
4b8c80
+        t->bus = sd_bus_ref(bus);
4b8c80
         t->header = (struct bus_header*) ((uint8_t*) t + ALIGN(sizeof(struct sd_bus_message)));
4b8c80
         t->header->endian = BUS_NATIVE_ENDIAN;
4b8c80
         t->header->type = type;
4b8c80
         t->header->version = bus->message_version;
4b8c80
         t->allow_fds = bus->can_fds || !IN_SET(bus->state, BUS_HELLO, BUS_RUNNING);
4b8c80
         t->root_container.need_offsets = BUS_MESSAGE_IS_GVARIANT(t);
4b8c80
-        t->bus = sd_bus_ref(bus);
4b8c80
 
4b8c80
         if (bus->allow_interactive_authorization)
4b8c80
                 t->header->flags |= BUS_MESSAGE_ALLOW_INTERACTIVE_AUTHORIZATION;