From 07f4c12efe3b9bd45d109bc5fbaf6d9dbf69d78e Mon Sep 17 00:00:00 2001

From: Simon McVittie <simon.mcvittie@collabora.co.uk>

Date: Wed, 11 Jun 2014 12:24:20 +0100

Subject: If loader contains two messages with fds, don't corrupt the second

There were two bugs here: we would previously overwrite the unused

fds with the already-used fds instead of the other way round, and

we would copy n bytes where we should have copied n ints.

Additionally, sending crafted messages in a chosen sequence to a victim

system service could cause an invalid file descriptor to be present

when dbus-daemon tries to forward one of those crafted messages to the

victim, causing sendmsg() to fail with EBADF, which resulted in

disconnecting the victim service, which would likely respond to that

by exiting. This is a denial of service (fd.o #80469, CVE-2014-3533).

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=79694

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80469

Reviewed-by: Alban Crequy <alban.crequy@collabora.co.uk>

diff --git a/dbus/dbus-message.c b/dbus/dbus-message.c

index c6953d0..78df755 100644

--- a/dbus/dbus-message.c

+++ b/dbus/dbus-message.c

@@ -4204,7 +4204,7 @@ load_message (DBusMessageLoader *loader,

       message->n_unix_fds_allocated = message->n_unix_fds = n_unix_fds;

       loader->n_unix_fds -= n_unix_fds;

-      memmove(loader->unix_fds + n_unix_fds, loader->unix_fds, loader->n_unix_fds);

+      memmove (loader->unix_fds, loader->unix_fds + n_unix_fds, loader->n_unix_fds * sizeof (loader->unix_fds[0]));

     }

   else

     message->unix_fds = NULL;

-- 

cgit v0.10.2