|
 |
a3e2b5 |
From a82cf4abc81722706b4466e65c1a05f997cf9fdc Mon Sep 17 00:00:00 2001
|
|
|
a3e2b5 |
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
|
|
a3e2b5 |
Date: Mon, 9 Jul 2018 07:38:10 +0200
|
|
|
a3e2b5 |
Subject: [PATCH] bus-message: use structured initialization to avoid use of
|
|
|
a3e2b5 |
unitialized memory
|
|
|
a3e2b5 |
|
|
|
a3e2b5 |
As far as I can see, we would either reuse some values from a previously exited
|
|
|
a3e2b5 |
container or just random bytes from the heap.
|
|
|
a3e2b5 |
|
|
|
a3e2b5 |
Should fix #10127.
|
|
|
a3e2b5 |
|
|
|
a3e2b5 |
(cherry picked from commit cf81c68e96aa29d0c28b5d3a26d1de9aa1b53b85)
|
|
|
a3e2b5 |
|
|
|
a3e2b5 |
Resolves: #1696224
|
|
|
a3e2b5 |
---
|
|
|
a3e2b5 |
src/libsystemd/sd-bus/bus-message.c | 59 +++++++++++++----------------
|
|
|
a3e2b5 |
1 file changed, 27 insertions(+), 32 deletions(-)
|
|
|
a3e2b5 |
|
|
|
a3e2b5 |
diff --git a/src/libsystemd/sd-bus/bus-message.c b/src/libsystemd/sd-bus/bus-message.c
|
|
|
a3e2b5 |
index 780c8c6185..7f87d018fb 100644
|
|
|
a3e2b5 |
--- a/src/libsystemd/sd-bus/bus-message.c
|
|
|
a3e2b5 |
+++ b/src/libsystemd/sd-bus/bus-message.c
|
|
|
a3e2b5 |
@@ -1956,7 +1956,7 @@ _public_ int sd_bus_message_open_container(
|
|
|
a3e2b5 |
char type,
|
|
|
a3e2b5 |
const char *contents) {
|
|
|
a3e2b5 |
|
|
|
a3e2b5 |
- struct bus_container *c, *w;
|
|
|
a3e2b5 |
+ struct bus_container *c;
|
|
|
a3e2b5 |
uint32_t *array_size = NULL;
|
|
|
a3e2b5 |
_cleanup_free_ char *signature = NULL;
|
|
|
a3e2b5 |
size_t before, begin = 0;
|
|
|
a3e2b5 |
@@ -2001,17 +2001,14 @@ _public_ int sd_bus_message_open_container(
|
|
|
a3e2b5 |
return r;
|
|
|
a3e2b5 |
|
|
|
a3e2b5 |
/* OK, let's fill it in */
|
|
|
a3e2b5 |
- w = m->containers + m->n_containers++;
|
|
|
a3e2b5 |
- w->enclosing = type;
|
|
|
a3e2b5 |
- w->signature = TAKE_PTR(signature);
|
|
|
a3e2b5 |
- w->peeked_signature = NULL;
|
|
|
a3e2b5 |
- w->index = 0;
|
|
|
a3e2b5 |
- w->array_size = array_size;
|
|
|
a3e2b5 |
- w->before = before;
|
|
|
a3e2b5 |
- w->begin = begin;
|
|
|
a3e2b5 |
- w->n_offsets = w->offsets_allocated = 0;
|
|
|
a3e2b5 |
- w->offsets = NULL;
|
|
|
a3e2b5 |
- w->need_offsets = need_offsets;
|
|
|
a3e2b5 |
+ m->containers[m->n_containers++] = (struct bus_container) {
|
|
|
a3e2b5 |
+ .enclosing = type,
|
|
|
a3e2b5 |
+ .signature = TAKE_PTR(signature),
|
|
|
a3e2b5 |
+ .array_size = array_size,
|
|
|
a3e2b5 |
+ .before = before,
|
|
|
a3e2b5 |
+ .begin = begin,
|
|
|
a3e2b5 |
+ .need_offsets = need_offsets,
|
|
|
a3e2b5 |
+ };
|
|
|
a3e2b5 |
|
|
|
a3e2b5 |
return 0;
|
|
|
a3e2b5 |
}
|
|
|
a3e2b5 |
@@ -3980,10 +3977,10 @@ static int bus_message_enter_dict_entry(
|
|
|
a3e2b5 |
_public_ int sd_bus_message_enter_container(sd_bus_message *m,
|
|
|
a3e2b5 |
char type,
|
|
|
a3e2b5 |
const char *contents) {
|
|
|
a3e2b5 |
- struct bus_container *c, *w;
|
|
|
a3e2b5 |
+ struct bus_container *c;
|
|
|
a3e2b5 |
uint32_t *array_size = NULL;
|
|
|
a3e2b5 |
_cleanup_free_ char *signature = NULL;
|
|
|
a3e2b5 |
- size_t before;
|
|
|
a3e2b5 |
+ size_t before, end;
|
|
|
a3e2b5 |
_cleanup_free_ size_t *offsets = NULL;
|
|
|
a3e2b5 |
size_t n_offsets = 0, item_size = 0;
|
|
|
a3e2b5 |
int r;
|
|
|
a3e2b5 |
@@ -4062,28 +4059,26 @@ _public_ int sd_bus_message_enter_container(sd_bus_message *m,
|
|
|
a3e2b5 |
return r;
|
|
|
a3e2b5 |
|
|
|
a3e2b5 |
/* OK, let's fill it in */
|
|
|
a3e2b5 |
- w = m->containers + m->n_containers++;
|
|
|
a3e2b5 |
- w->enclosing = type;
|
|
|
a3e2b5 |
- w->signature = TAKE_PTR(signature);
|
|
|
a3e2b5 |
- w->peeked_signature = NULL;
|
|
|
a3e2b5 |
- w->index = 0;
|
|
|
a3e2b5 |
-
|
|
|
a3e2b5 |
- w->before = before;
|
|
|
a3e2b5 |
- w->begin = m->rindex;
|
|
|
a3e2b5 |
-
|
|
|
a3e2b5 |
- /* Unary type has fixed size of 1, but virtual size of 0 */
|
|
|
a3e2b5 |
if (BUS_MESSAGE_IS_GVARIANT(m) &&
|
|
|
a3e2b5 |
type == SD_BUS_TYPE_STRUCT &&
|
|
|
a3e2b5 |
isempty(signature))
|
|
|
a3e2b5 |
- w->end = m->rindex + 0;
|
|
|
a3e2b5 |
+ end = m->rindex + 0;
|
|
|
a3e2b5 |
else
|
|
|
a3e2b5 |
- w->end = m->rindex + c->item_size;
|
|
|
a3e2b5 |
-
|
|
|
a3e2b5 |
- w->array_size = array_size;
|
|
|
a3e2b5 |
- w->item_size = item_size;
|
|
|
a3e2b5 |
- w->offsets = TAKE_PTR(offsets);
|
|
|
a3e2b5 |
- w->n_offsets = n_offsets;
|
|
|
a3e2b5 |
- w->offset_index = 0;
|
|
|
a3e2b5 |
+ end = m->rindex + c->item_size;
|
|
|
a3e2b5 |
+
|
|
|
a3e2b5 |
+ m->containers[m->n_containers++] = (struct bus_container) {
|
|
|
a3e2b5 |
+ .enclosing = type,
|
|
|
a3e2b5 |
+ .signature = TAKE_PTR(signature),
|
|
|
a3e2b5 |
+
|
|
|
a3e2b5 |
+ .before = before,
|
|
|
a3e2b5 |
+ .begin = m->rindex,
|
|
|
a3e2b5 |
+ /* Unary type has fixed size of 1, but virtual size of 0 */
|
|
|
a3e2b5 |
+ .end = end,
|
|
|
a3e2b5 |
+ .array_size = array_size,
|
|
|
a3e2b5 |
+ .item_size = item_size,
|
|
|
a3e2b5 |
+ .offsets = TAKE_PTR(offsets),
|
|
|
a3e2b5 |
+ .n_offsets = n_offsets,
|
|
|
a3e2b5 |
+ };
|
|
|
a3e2b5 |
|
|
|
a3e2b5 |
return 1;
|
|
|
a3e2b5 |
}
|