review.tizen.org Git - platform/upstream/systemd.git/commit

bus-message: fix calculation of offsets table

The offsets specify the ends of variable length data. We would trust the
incoming data, putting the offsets specified in our message
into the offsets tables after doing some superficial verification.
But when actually reading the data we apply alignment, so we would take
the previous offset, align it, making it bigger then current offset, and
then we'd try to read data of negative length.

In the attached example, the message specifies the following offsets:
[1, 4]
but the alignment of those items is
[1, 8]
so we'd calculate the second item as starting at 8 and ending at 4.

author	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
	Thu, 2 Aug 2018 12:25:11 +0000 (14:25 +0200)
committer	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
	Tue, 2 Oct 2018 09:53:20 +0000 (11:53 +0200)
commit	12603b84d2fb07603e2ea94b240c6b78ad17510e
tree	86f6b09fac23182c25fb84355d573a5d88d27b40	tree \| snapshot
parent	e8fd7e4b5b5269377efc641a7da43850822c1250	commit \| diff

src/libsystemd/sd-bus/bus-message.c		diff \| blob \| history
test/fuzz/fuzz-bus-message/crash-e1b811da5ca494e494b77c6bd8e1c2f2989425c5	[new file with mode: 0644]	blob