platform/upstream/dbus.git
2 years agoci: Teach ci-install.sh to install wine on Debian 9 'stretch'
Simon McVittie [Wed, 3 Oct 2018 16:51:49 +0000 (17:51 +0100)]
ci: Teach ci-install.sh to install wine on Debian 9 'stretch'

Signed-off-by: Simon McVittie <smcv@collabora.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=108177
Acked-by: Philip Withnall <withnall@endlessm.com>
(cherry picked from commit 408b222a9fc61327cd7be385b6705f30f0c38802)

2 years agoci-build: Update required MSYS packages
Simon McVittie [Fri, 6 Nov 2020 13:38:45 +0000 (13:38 +0000)]
ci-build: Update required MSYS packages

The older versions we were previously building against are no longer
available on mirrors.

Based on changes proposed in !189 by Arnout Engelen, and the package
list gathered by Ralf Habacker in #318.

Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/318
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 053238254ec1cd145208d19c808678b61a6a6566)

2 years agoCI: Add ci_variant parameter
Simon McVittie [Fri, 25 Feb 2022 13:04:16 +0000 (13:04 +0000)]
CI: Add ci_variant parameter

Originally part of commit 23e1f044 "Install qhelpgenerator for native
production build on buster". Later CI fixes rely on having this
available.

Signed-off-by: Simon McVittie <smcv@collabora.com>
2 years agoBelatedly bump version number to 1.12.21 for development
Simon McVittie [Fri, 17 Dec 2021 13:01:10 +0000 (13:01 +0000)]
Belatedly bump version number to 1.12.21 for development

Signed-off-by: Simon McVittie <smcv@collabora.com>
2 years agoUpdate NEWS
Simon McVittie [Fri, 17 Dec 2021 13:00:49 +0000 (13:00 +0000)]
Update NEWS

Signed-off-by: Simon McVittie <smcv@collabora.com>
2 years agointernals: Use Standard C offsetof macro if available
Simon McVittie [Fri, 10 Dec 2021 15:12:59 +0000 (15:12 +0000)]
internals: Use Standard C offsetof macro if available

clang 13 fails to compile our current implementation with:

.../dbus/dbus-message.c:2070:3: error: variable length array folded to constant array as an extension [-Werror,-Wgnu-folding-constant]
  _DBUS_STATIC_ASSERT (_DBUS_ALIGNOF (DBusMessageRealIter) <=
  ^
.../dbus/dbus-internals.h:460:25: note: expanded from macro '_DBUS_STATIC_ASSERT'
  typedef struct { char _assertion[(expr) ? 1 : -1]; } \

This appears to be because the "traditional" definition of
offsetof(), which we're hard-coding here, does not qualify as a constant
expression under C rules due to its use of pointer casts.

Modern compilers like gcc and clang have a built-in implementation
of offsetof that *is* a constant expression.

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit a24cf746e2a8191070efd1300a15d37284aaf2fa)

2 years agodisable fork-malloc-exec for non-glibc-systems
Jean-Louis Fuchs [Mon, 28 Sep 2020 12:45:15 +0000 (14:45 +0200)]
disable fork-malloc-exec for non-glibc-systems

Calling malloc() after fork is undefined behaviour if the process is
multi-threaded. locks held by a thread on fork() will never be released.
malloc() is usally protected by a lock and can therefore deadlock. glibc
is known not to deadlock in this case.

This commit does not rule out other problems on glibc-systems, but fixes an
issue on musl-libc-systems. Only restricting to async-signal safe functions
between fork() and exec() prevents undefined behaviour for sure. See
signal-safety(7).

(cherry picked from commit 3fab06d68f5940cde89fb9c7e647bdc48bc7b253)

2 years agodoc: Don't include TODO list in API documentation
Simon McVittie [Mon, 13 Dec 2021 12:34:07 +0000 (12:34 +0000)]
doc: Don't include TODO list in API documentation

This is sorted non-deterministically, which is undesired for reproducible
builds, and is not really part of the API in any case.

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit ce8d7759a2afeb961d10be96724af2630de362e5)

2 years agodocs: generate reproducible ids
Arnout Engelen [Thu, 5 Nov 2020 20:27:02 +0000 (21:27 +0100)]
docs: generate reproducible ids

With this parameter, docbook will generate the same id's when generating the
same docs. This is helpful to get bit-by-bit 'reproducible' output, which
makes auditing the package easier.

(cherry picked from commit 43e0188dbf6506f64150f3a9b2392e315b1bbdaf)

2 years agodbus-launch: Replace slashes in DISPLAY if present
William Earley [Sun, 27 Sep 2020 11:39:04 +0000 (12:39 +0100)]
dbus-launch: Replace slashes in DISPLAY if present

dbus-daemon fails to autolaunch with X11 on macOS 10.8+ because XQuartz
(the X11 package for macOS) provides a value for `$DISPLAY` that is
not expected by dbus, in that it contains `/` characters. This is
addressed by replacing the invalid path character `/` with `_`.

Resolves: #8
Resolves: #311
(cherry picked from commit 3545d0f4de0194ced1fde6935fd7d1326dd9e832)

2 years agosysdeps: Don't raise RLIMIT_NOFILE beyond OPEN_MAX on macOS
William Earley [Sun, 27 Sep 2020 11:24:30 +0000 (12:24 +0100)]
sysdeps: Don't raise RLIMIT_NOFILE beyond OPEN_MAX on macOS

dbus-daemon fails to launch on macOS 10.5 and above because of a breaking
change in setrlimit, in which RLIM_INFINITY is no longer supported
for RLIMIT_NOFILE. Instead we must use OPEN_MAX.

Resolves: #309
(cherry picked from commit 691946dabcdd3e97787655d977a4da33fe56d433)

3 years agoReference CVE-2020-35512 in NEWS
Simon McVittie [Thu, 7 Jan 2021 11:55:19 +0000 (11:55 +0000)]
Reference CVE-2020-35512 in NEWS

Signed-off-by: Simon McVittie <smcv@collabora.com>
4 years agoMerge branch 'cherry-pick-f0e526bc' into 'dbus-1.12'
Simon McVittie [Fri, 14 Aug 2020 16:14:32 +0000 (16:14 +0000)]
Merge branch 'cherry-pick-f0e526bc' into 'dbus-1.12'

tests: On Unix, include <netinet/in.h> for IPPROTO_TCP

See merge request dbus/dbus!168

4 years agotests: On Unix, include <netinet/in.h> for IPPROTO_TCP
Simon McVittie [Wed, 1 Jul 2020 15:01:38 +0000 (15:01 +0000)]
tests: On Unix, include <netinet/in.h> for IPPROTO_TCP

Otherwise, dbus doesn't compile on FreeBSD if the GLib-based tests
are enabled (which suggests that no FreeBSD user has run those tests
successfully).

We already include <netinet/in.h> in other places with no conditions
or checks other than "is Unix", so apparently it's portable enough that
specifically testing for its presence is not necessary. POSIX requires it
to exist.

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit f0e526bca8a5e47246c97199f5c388b0bd00d9f3)

4 years agov1.12.20 dbus-1.12.20
Simon McVittie [Thu, 2 Jul 2020 10:10:00 +0000 (11:10 +0100)]
v1.12.20

Signed-off-by: Simon McVittie <smcv@collabora.com>
4 years agoUpdate NEWS
Simon McVittie [Thu, 2 Jul 2020 09:25:04 +0000 (10:25 +0100)]
Update NEWS

Signed-off-by: Simon McVittie <smcv@collabora.com>
4 years agouserdb: Reference-count DBusUserInfo, DBusGroupInfo
Simon McVittie [Tue, 30 Jun 2020 18:29:06 +0000 (19:29 +0100)]
userdb: Reference-count DBusUserInfo, DBusGroupInfo

Previously, the hash table indexed by uid (or gid) took ownership of the
single reference to the heap-allocated struct, and the hash table
indexed by username (or group name) had a borrowed pointer to the same
struct that exists in the other hash table.

However, this can break down if you have two or more distinct usernames
that share a numeric identifier. This is generally a bad idea, because
the user-space model in such situations does not match the kernel-space
reality, and in particular there is no effective kernel-level security
boundary between such users, but it is sometimes done anyway.

In this case, when the second username is looked up in the userdb, it
overwrites (replaces) the entry in the hash table that is indexed by
uid, freeing the DBusUserInfo. This results in both the key and the
value in the hash table that is indexed by username becoming dangling
pointers (use-after-free), leading to undefined behaviour, which is
certainly not what we want to see when doing access control.

An equivalent situation can occur with groups, in the rare case where
a numeric group ID has two names (although I have not heard of this
being done in practice).

Solve this by reference-counting the data structure. There are up to
three references in practice: one held temporarily while the lookup
function is populating and storing it, one held by the hash table that
is indexed by uid, and one held by the hash table that is indexed by
name.

Closes: dbus#305
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 2b7948ef907669e844b52c4fa2268d6e3162a70c)

4 years agouserdb: Make lookups return a const pointer
Simon McVittie [Tue, 30 Jun 2020 18:13:17 +0000 (19:13 +0100)]
userdb: Make lookups return a const pointer

This makes it more obvious that the returned pointer points to a
struct owned by the userdb, which must not be freed or have its
contents modified, and is only valid to dereference until the next
modification to the userdb's underlying hash tables (which in practice
means until the lock is released, because after that we have no
guarantees about what might be going on in another thread).

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 6ee66ff7bcc91803111d950512f02651e664f74f)

4 years agoSolaris and derivatives do not adjust cmsg_len on MSG_CTRUNC
Andy Fiddaman [Fri, 12 Jun 2020 12:32:20 +0000 (12:32 +0000)]
Solaris and derivatives do not adjust cmsg_len on MSG_CTRUNC

(cherry picked from commit b96ef23e406baa08648339a53b0161fc80de7ce4)

4 years agoStart 1.12.20 development
Simon McVittie [Tue, 2 Jun 2020 19:57:39 +0000 (20:57 +0100)]
Start 1.12.20 development

Signed-off-by: Simon McVittie <smcv@collabora.com>
4 years agoPrepare 1.12.18
Simon McVittie [Tue, 2 Jun 2020 11:18:39 +0000 (12:18 +0100)]
Prepare 1.12.18

Signed-off-by: Simon McVittie <smcv@collabora.com>
4 years agofdpass test: Assert that we don't leak file descriptors
Simon McVittie [Thu, 16 Apr 2020 13:41:48 +0000 (14:41 +0100)]
fdpass test: Assert that we don't leak file descriptors

This version is for the dbus-1.12 branch, and doesn't rely on dbus!153
or dbus!120.

Reproduces: dbus#294
Reproduces: CVE-2020-12049
Reproduces: GHSL-2020-057
Signed-off-by: Simon McVittie <smcv@collabora.com>
4 years agosysdeps-unix: On MSG_CTRUNC, close the fds we did receive
Simon McVittie [Thu, 16 Apr 2020 13:45:11 +0000 (14:45 +0100)]
sysdeps-unix: On MSG_CTRUNC, close the fds we did receive

MSG_CTRUNC indicates that we have received fewer fds that we should
have done because the buffer was too small, but we were treating it
as though it indicated that we received *no* fds. If we received any,
we still have to make sure we close them, otherwise they will be leaked.

On the system bus, if an attacker can induce us to leak fds in this
way, that's a local denial of service via resource exhaustion.

Reported-by: Kevin Backhouse, GitHub Security Lab
Fixes: dbus#294
Fixes: CVE-2020-12049
Fixes: GHSL-2020-057

4 years agoUpdate NEWS
Simon McVittie [Fri, 15 May 2020 10:24:14 +0000 (11:24 +0100)]
Update NEWS

Signed-off-by: Simon McVittie <smcv@collabora.com>
4 years agodbus-daemon test: Don't test fd limits if in an unprivileged container
Simon McVittie [Tue, 4 Dec 2018 12:09:26 +0000 (12:09 +0000)]
dbus-daemon test: Don't test fd limits if in an unprivileged container

In an unprivileged container, uid 0 doesn't have CAP_SYS_RESOURCE, so
we can't expect the dbus-daemon to be able to escalate its fd limit.

This can be reproduced using bubblewrap:

    sudo bwrap \
        --cap-drop CAP_SYS_RESOURCE \
        --ro-bind / / \
        --dev /dev \
    env \
        DBUS_TEST_DAEMON=.../bus/dbus-daemon \
        DBUS_TEST_DATA=.../test/data \
    .../test/test-dbus-daemon \
        -p /fd-limit \
        --verbose

Bug-Debian: https://bugs.debian.org/908092

4 years agoUpdate NEWS
Simon McVittie [Mon, 20 Apr 2020 19:40:02 +0000 (20:40 +0100)]
Update NEWS

4 years agodoxygen: fix example for dbus_message_append_args
Felipe Franciosi [Mon, 23 Sep 2019 12:22:32 +0000 (13:22 +0100)]
doxygen: fix example for dbus_message_append_args

Commit 724adb2f6 mangled the dbus_message_append_args() code example.
This fixes it by breaking the lines and aligning at the right places.

Signed-off-by: Felipe Franciosi <felipe@nutanix.com>
4 years agoUpdate NEWS
Simon McVittie [Mon, 20 Apr 2020 19:05:28 +0000 (20:05 +0100)]
Update NEWS

4 years agocmake: Add X11 include path for tools
Tuomo Rinne [Wed, 22 Jan 2020 21:31:15 +0000 (21:31 +0000)]
cmake: Add X11 include path for tools

Fixes compilation issues for case when X11 is not in a standard location

4 years agodoc: replace dbus-send's --address with --peer and --bus
Christopher Morin [Wed, 3 Jul 2019 08:28:29 +0000 (08:28 +0000)]
doc: replace dbus-send's --address with --peer and --bus

See merge request dbus/dbus!115

(cherry picked from commit fd41caa3664d480605628f08c217581bc42fa3e7)

4 years agoUpdate NEWS
Simon McVittie [Mon, 20 Apr 2020 18:28:16 +0000 (19:28 +0100)]
Update NEWS

4 years agoMerge branch 'cherry-pick-b034b83b' into 'dbus-1.12'
Simon McVittie [Tue, 25 Feb 2020 12:59:48 +0000 (12:59 +0000)]
Merge branch 'cherry-pick-b034b83b' into 'dbus-1.12'

[1.12] bus: Don't explicitly clear BusConnections.monitors

See merge request dbus/dbus!142

4 years agobus: Don't explicitly clear BusConnections.monitors
Simon McVittie [Thu, 20 Feb 2020 00:36:53 +0000 (00:36 +0000)]
bus: Don't explicitly clear BusConnections.monitors

Each connection that is an active monitor holds a pointer to its own
link in this list, via BusConnectionData.link_in_monitors. We can't
validly free the list while these pointers exist: that would be a
use-after-free, when each connection gets disconnected and tries to
remove itself from the list.

Instead, let each connection remove itself from the list, then assert
that the list has become empty.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Resolves: https://gitlab.freedesktop.org/dbus/dbus/issues/291

(cherry picked from commit b034b83b59efffd4cc819ad42d0cd078d91d53df)

4 years agoMerge branch 'cherry-pick-bf71a58e' into 'dbus-1.12'
Simon McVittie [Thu, 20 Feb 2020 13:23:22 +0000 (13:23 +0000)]
Merge branch 'cherry-pick-bf71a58e' into 'dbus-1.12'

doc: Fix environment variable name in dbus-daemon(1)

See merge request dbus/dbus!141

4 years agodoc: Fix environment variable name in dbus-daemon(1)
Philip Withnall [Tue, 13 Aug 2019 14:08:03 +0000 (14:08 +0000)]
doc: Fix environment variable name in dbus-daemon(1)

Spotted by Mubin. This documentation relates to the code in
add_bus_environment() in bus/activation.c.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Fixes: #275

(cherry picked from commit bf71a58e4ab496c1726209aaad94a1abe670a01f)

5 years agoStart 1.12.18 development
Simon McVittie [Tue, 11 Jun 2019 15:29:36 +0000 (16:29 +0100)]
Start 1.12.18 development

Signed-off-by: Simon McVittie <smcv@collabora.com>
5 years agoPrepare version 1.12.16 dbus-1.12.16
Simon McVittie [Sun, 9 Jun 2019 11:28:03 +0000 (12:28 +0100)]
Prepare version 1.12.16

Signed-off-by: Simon McVittie <smcv@collabora.com>
5 years agotest: Add basic test coverage for DBUS_COOKIE_SHA1
Simon McVittie [Thu, 30 May 2019 11:58:28 +0000 (12:58 +0100)]
test: Add basic test coverage for DBUS_COOKIE_SHA1

We don't actually complete successful authentication, because that
would require us to generate a cookie and compute the correct SHA1,
which is difficult to do in a deterministic authentication script.
However, we do assert that dbus#269 (CVE-2019-12749) has been fixed.

Signed-off-by: Simon McVittie <smcv@collabora.com>
5 years agoauth: Reject DBUS_COOKIE_SHA1 for users other than the server owner
Simon McVittie [Thu, 30 May 2019 11:53:03 +0000 (12:53 +0100)]
auth: Reject DBUS_COOKIE_SHA1 for users other than the server owner

The DBUS_COOKIE_SHA1 authentication mechanism aims to prove ownership
of a shared home directory by having the server write a secret "cookie"
into a .dbus-keyrings subdirectory of the desired identity's home
directory with 0700 permissions, and having the client prove that it can
read the cookie. This never actually worked for non-malicious clients in
the case where server uid != client uid (unless the server and client
both have privileges, such as Linux CAP_DAC_OVERRIDE or traditional
Unix uid 0) because an unprivileged server would fail to write out the
cookie, and an unprivileged client would be unable to read the resulting
file owned by the server.

Additionally, since dbus 1.7.10 we have checked that ~/.dbus-keyrings
is owned by the uid of the server (a side-effect of a check added to
harden our use of XDG_RUNTIME_DIR), further ruling out successful use
by a non-malicious client with a uid differing from the server's.

Joe Vennix of Apple Information Security discovered that the
implementation of DBUS_COOKIE_SHA1 was susceptible to a symbolic link
attack: a malicious client with write access to its own home directory
could manipulate a ~/.dbus-keyrings symlink to cause the DBusServer to
read and write in unintended locations. In the worst case this could
result in the DBusServer reusing a cookie that is known to the
malicious client, and treating that cookie as evidence that a subsequent
client connection came from an attacker-chosen uid, allowing
authentication bypass.

This is mitigated by the fact that by default, the well-known system
dbus-daemon (since 2003) and the well-known session dbus-daemon (in
stable releases since dbus 1.10.0 in 2015) only accept the EXTERNAL
authentication mechanism, and as a result will reject DBUS_COOKIE_SHA1
at an early stage, before manipulating cookies. As a result, this
vulnerability only applies to:

* system or session dbus-daemons with non-standard configuration
* third-party dbus-daemon invocations such as at-spi2-core (although
  in practice at-spi2-core also only accepts EXTERNAL by default)
* third-party uses of DBusServer such as the one in Upstart

Avoiding symlink attacks in a portable way is difficult, because APIs
like openat() and Linux /proc/self/fd are not universally available.
However, because DBUS_COOKIE_SHA1 already doesn't work in practice for
a non-matching uid, we can solve this vulnerability in an easier way
without regressions, by rejecting it early (before looking at
~/.dbus-keyrings) whenever the requested identity doesn't match the
identity of the process hosting the DBusServer.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Closes: https://gitlab.freedesktop.org/dbus/dbus/issues/269
Closes: CVE-2019-12749

5 years agoStart 1.12.16 development
Simon McVittie [Fri, 17 May 2019 14:48:14 +0000 (15:48 +0100)]
Start 1.12.16 development

Signed-off-by: Simon McVittie <smcv@collabora.com>
5 years agoRelease 1.12.14 dbus-1.12.14
Simon McVittie [Fri, 17 May 2019 09:41:10 +0000 (10:41 +0100)]
Release 1.12.14

5 years agoUpdate NEWS
Simon McVittie [Mon, 13 May 2019 10:59:03 +0000 (11:59 +0100)]
Update NEWS

Signed-off-by: Simon McVittie <smcv@collabora.com>
5 years agobus: Try to raise soft fd limit to match hard limit
Simon McVittie [Mon, 11 Mar 2019 09:03:39 +0000 (09:03 +0000)]
bus: Try to raise soft fd limit to match hard limit

Linux systems have traditionally set the soft limit to 1024 and the hard
limit to 4096. Recent versions of systemd keep the soft fd limit at
1024 to avoid breaking programs that still use select(), but raise the
hard limit to 512*1024, while in recent Debian versions a complicated
interaction between components gives a soft limit of 1024 and a hard
limit of 1024*1024. If we can, we might as well elevate our soft limit
to match the hard limit, minimizing the chance that we will run out of
file descriptor slots.

Unlike the previous code to raise the hard and soft limits to at least
65536, we do this even if we don't have privileges: privileges are
unnecessary to raise the soft limit up to the hard limit.

If we *do* have privileges, we also continue to raise the hard and soft
limits to at least 65536 if they weren't already that high, making
it harder to carry out a denial of service attack on the system bus on
systems that use the traditional limit (CVE-2014-7824).

As was previously the case on the system bus, we'll drop the limits back
to our initial limits before we execute a subprocess for traditional
(non-systemd) activation, if enabled.

systemd activation doesn't involve us starting subprocesses at all,
so in both cases activated services will still inherit the same limits
they did previously.

This change also fixes a bug when the hard limit is very large but
the soft limit is not, for example seen as a regression when upgrading
to systemd >= 240 (Debian #928877). In such environments, dbus-daemon
would previously have changed its fd limit to 64K soft/64K hard. Because
this hard limit is less than its original hard limit, it was unable to
restore its original hard limit as intended when carrying out traditional
activation, leaving activated subprocesses with unintended limits (while
logging a warning).

Reviewed-by: Lennart Poettering <lennart@poettering.net>
[smcv: Correct a comment based on Lennart's review, reword commit message]
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 7eacbfece70f16bb54d0f3ac51f87ae398759ef5)
[smcv: Mention that this also fixes Debian #928877]

5 years agocmake: Avoid overwriting PKG_CONFIG_PATH env var
Clemens Lang [Fri, 8 Feb 2019 14:48:15 +0000 (15:48 +0100)]
cmake: Avoid overwriting PKG_CONFIG_PATH env var

The CMake config file installed by DBus will run in the context of other
projects. Consequently, changing the value of the PKG_CONFIG_DIR,
PKG_CONFIG_PATH or PKG_CONFIG_LIBDIR environment variables will affect
any further calls to pkg-config made by such projects, which can cause
problems.

A common case of this happening are pkg-config files installed in
usr/share/pkgconfig for .pc files that are architecture-independent, as
for example systemd does.

Avoid clobbering the environment variables by saving and restoring their
values. Note that for some of the variables, setting them to an empty
string is different from not setting them at all.

Signed-off-by: Clemens Lang <clemens.lang@bmw-carit.de>
(cherry picked from commit 3525cc045d4c683dfc6048f5be795cc372c323a3)
Closes: dbus#267

5 years agoMerge branch 'cherry-pick-14f46d14' into 'dbus-1.12'
Simon McVittie [Thu, 18 Apr 2019 16:09:06 +0000 (16:09 +0000)]
Merge branch 'cherry-pick-14f46d14' into 'dbus-1.12'

build: Don't assume we can set permissions on a directory

See merge request dbus/dbus!112

5 years agobuild: Don't assume we can set permissions on a directory
Simon McVittie [Wed, 17 Apr 2019 15:32:01 +0000 (15:32 +0000)]
build: Don't assume we can set permissions on a directory

MSYS2 has enough of a Unixish environment to run Autotools, but
apparently not enough of a Unixish environment to have functional
permissions.

Closes: dbus#216

(cherry picked from commit 14f46d14a0526f137f81a3fff5d32f26733323cd)

5 years agoMerge branch '1-12-logical-op' into 'dbus-1.12'
Simon McVittie [Wed, 17 Apr 2019 15:19:01 +0000 (15:19 +0000)]
Merge branch '1-12-logical-op' into 'dbus-1.12'

Backport -Wlogical-op fixes to 1.12.x

See merge request dbus/dbus!109

5 years agoMerge branch '1-12-code-coverage' into 'dbus-1.12'
Simon McVittie [Wed, 17 Apr 2019 15:18:42 +0000 (15:18 +0000)]
Merge branch '1-12-code-coverage' into 'dbus-1.12'

Adapt to API change in AX_CODE_COVERAGE version 28

See merge request dbus/dbus!108

5 years ago_dbus_get_is_errno_eagain_or_ewouldblock: Avoid warning
David King [Fri, 12 Oct 2018 15:20:39 +0000 (16:20 +0100)]
_dbus_get_is_errno_eagain_or_ewouldblock: Avoid warning

EAGAIN and EWOULDBLOCK are documented to possibly be numerically equal,
for instance in errno(3), and a simple logical OR check will trigger the
-Wlogical-op warning of GCC. The GCC developers consider the warning to
work as-designed in this case:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69602

Avoid such a warning by explicitly checking if the values are identical.

Fixes: https://gitlab.freedesktop.org/dbus/dbus/issues/225
Signed-off-by: David King <dking@redhat.com>
Reviewed-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit a65319134209d39f5eb6e5425ec6a35fad05bcd7)

5 years agodbus-send: Avoid duplicated-branches warning
David King [Wed, 17 Oct 2018 07:33:25 +0000 (08:33 +0100)]
dbus-send: Avoid duplicated-branches warning

Switch the order of the argument checks to avoid the
-Wduplicated-branches warning.

Signed-off-by: David King <dking@redhat.com>
Reviewed-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit c0bf0d185d72e20e70da9a98e13f69e19f2a87d5)

5 years agodesktop-file: Justify implementation of is_valid_section_name()
Simon McVittie [Thu, 18 Oct 2018 14:34:09 +0000 (15:34 +0100)]
desktop-file: Justify implementation of is_valid_section_name()

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 99580298f305e1e2426f0c016d797a1ff9ea0b79)

5 years agois_valid_section_name: Fix logical expression
David King [Fri, 12 Oct 2018 12:58:43 +0000 (13:58 +0100)]
is_valid_section_name: Fix logical expression

Group names in desktop files may contain all ASCII characters, except
control characters and '[' and ']'. Rather than accepting all values,
thanks to a logical operator confusion found by GCC warning
-Wlogical-op, instead explicitly reject the invalid values.

Signed-off-by: David King <dking@redhat.com>
Fixes: https://gitlab.freedesktop.org/dbus/dbus/issues/208
(cherry picked from commit 3ef9e789c1b99f420078f4debabd4f5c4fa0a748)

5 years agoAdapt to API change in AX_CODE_COVERAGE version 28
Simon McVittie [Mon, 21 Jan 2019 17:51:07 +0000 (17:51 +0000)]
Adapt to API change in AX_CODE_COVERAGE version 28

AX_CODE_COVERAGE recently changed the way it embedded its Makefile rules
in the output file: instead of using @CODE_COVERAGE_RULES@, users
are now meant to include aminclude_static.am.

The new AX_CODE_COVERAGE is only in the latest autoconf-archive release,
version 2019.01.06, which is inconveniently new, so bundle everything
we need for the moment.

This requires us to stop using the deprecated CODE_COVERAGE_LDFLAGS
(which we still used to support older versions of autoconf-archive)
and replace them with CODE_COVERAGE_LIBS.

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 2938c2125ebcd001e470aeac1ffac45b6b1ebe89)
Closes: dbus#265

5 years agoconfigure.ac: Forbid AX_-prefixed patterns more selectively
Simon McVittie [Mon, 21 Jan 2019 14:28:24 +0000 (14:28 +0000)]
configure.ac: Forbid AX_-prefixed patterns more selectively

We want to make autoconf fail early and with a user-comprehensible
message if autoconf-archive isn't installed, rather than generating
a configure script with syntax errors, or a configure script that runs
successfully but doesn't do what we intended.

However, autoconf-archive doesn't actually guarantee not to use
AX_-prefixed shell variable names without m4_pattern_allow'ing them
(unlike Autoconf, Automake, Libtool and pkg-config, which explicitly use
m4_pattern_allow for variables with AC_, AM_, LT_ and PKG_ prefixes), so
it isn't safe to assume that they won't be used. In particular, recent
versions of AX_CHECK_GNU_MAKE appear to be using
$AX_CHECK_GNU_MAKE_HEADLINE as a shell variable.

Instead, specifically forbid the names of the finite list of macros
that we actually use.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Resolves: dbus#249
(cherry picked from commit ee09cc0acdc1c34e8ae999adf9922f3d0d66f407)

5 years agoStart working on dbus 1.12.14
Simon McVittie [Tue, 4 Dec 2018 17:26:06 +0000 (17:26 +0000)]
Start working on dbus 1.12.14

Signed-off-by: Simon McVittie <smcv@collabora.com>
5 years ago1.12.12 dbus-1.12.12
Simon McVittie [Tue, 4 Dec 2018 13:57:58 +0000 (13:57 +0000)]
1.12.12

Signed-off-by: Simon McVittie <smcv@collabora.com>
5 years agoCI: Start supporting Debian 10 'buster', currently under development
Simon McVittie [Mon, 3 Dec 2018 19:45:46 +0000 (19:45 +0000)]
CI: Start supporting Debian 10 'buster', currently under development

This gives us a way to build on a more recent host OS if we want to.
For Gitlab-CI it's disabled by default.

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 28c27349e252e33215e21b570d41853badd770ef)

5 years agoCI: Exercise maintainer-only documentation build
Simon McVittie [Tue, 4 Dec 2018 11:25:21 +0000 (11:25 +0000)]
CI: Exercise maintainer-only documentation build

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit bcc34caa43d8e5dba8266cf163d8a24e4fb55dce)

5 years agoCI: Stop building on Ubuntu 14.04 'trusty'
Simon McVittie [Mon, 3 Dec 2018 19:44:47 +0000 (19:44 +0000)]
CI: Stop building on Ubuntu 14.04 'trusty'

The version of gcc in trusty is too old for AddressSanitizer, which we
want to be able to start using, and Travis-CI finally supports Ubuntu
16.04 'xenial' now. This lets us remove some workarounds, but we need
to update others.

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 0c553afcd9c79bc19ffdad67980f421def5d0613)

5 years agoci-build.sh: Show file size in list of files to be able to compare generated file...
Ralf Habacker [Mon, 19 Nov 2018 19:29:33 +0000 (20:29 +0100)]
ci-build.sh: Show file size in list of files to be able to compare generated file size

(cherry picked from commit bac2fd3aa458c7dfd002f7ec96a245d630c5830f)

5 years agoCI: Remove unimplemented --with-glib option
Simon McVittie [Tue, 4 Dec 2018 11:29:12 +0000 (11:29 +0000)]
CI: Remove unimplemented --with-glib option

dbus has never actually had this option.

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit e0a1bfb26a9f72e8fe59af770d394a90810a7cea)

5 years agoCI: List attributes, sizes etc. of installed files, not just names
Simon McVittie [Tue, 4 Dec 2018 11:25:02 +0000 (11:25 +0000)]
CI: List attributes, sizes etc. of installed files, not just names

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit d71049799a3f87de95151e00c667c05dd0b5386c)

5 years agodoc: Remove obsolete message about man2html
Simon McVittie [Tue, 4 Dec 2018 11:41:11 +0000 (11:41 +0000)]
doc: Remove obsolete message about man2html

We no longer run man2html.

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit f134e2d2c7ae53965dfba0c85bf76ad38fb7fa4c)

5 years agoCONTRIBUTING.md: Update and rewrite
Simon McVittie [Tue, 16 Oct 2018 14:44:59 +0000 (15:44 +0100)]
CONTRIBUTING.md: Update and rewrite

This file hadn't kept up with reality, and needs updating for Gitlab.
Take the opportunity to rewrite it.

Much of the text, particularly about commit messages, was taken from
Wayland's contributing guide (thanks to Ander Conselvan de Oliveira,
Bryce Harrington, Eric Engestrom, Pekka Paalanen and Daniel Stone).

Signed-off-by: Simon McVittie <smcv@collabora.com>
5 years agoCONTRIBUTING: Reformat as Markdown
Simon McVittie [Tue, 16 Oct 2018 14:02:29 +0000 (15:02 +0100)]
CONTRIBUTING: Reformat as Markdown

Signed-off-by: Simon McVittie <smcv@collabora.com>
5 years agoCONTRIBUTING: Remove all trailing whitespace
Simon McVittie [Tue, 16 Oct 2018 14:01:04 +0000 (15:01 +0100)]
CONTRIBUTING: Remove all trailing whitespace

Signed-off-by: Simon McVittie <smcv@collabora.com>
5 years agoRename HACKING to CONTRIBUTING
Simon McVittie [Wed, 22 Aug 2018 16:48:34 +0000 (17:48 +0100)]
Rename HACKING to CONTRIBUTING

Signed-off-by: Simon McVittie <smcv@collabora.com>
5 years agoNEWS: Refer to Gitlab
Simon McVittie [Mon, 3 Dec 2018 16:34:55 +0000 (16:34 +0000)]
NEWS: Refer to Gitlab

Signed-off-by: Simon McVittie <smcv@collabora.com>
5 years agoUpdate NEWS
Simon McVittie [Mon, 3 Dec 2018 16:31:07 +0000 (16:31 +0000)]
Update NEWS

Signed-off-by: Simon McVittie <smcv@collabora.com>
5 years agoactivation: Don't leak if delivering activation message is forbidden
Simon McVittie [Fri, 17 Aug 2018 14:42:17 +0000 (15:42 +0100)]
activation: Don't leak if delivering activation message is forbidden

This is technically a denial of service because the dbus-daemon will
run out of memory eventually, but it's a very slow and noisy one,
because all the rejected messages are also very likely to have
been logged to the system log.

Detected by AddressSanitizer.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Resolves: https://gitlab.freedesktop.org/dbus/dbus/issues/234
Reviewed-by: pwithnall
5 years agoUpdate NEWS
Simon McVittie [Fri, 16 Nov 2018 15:09:39 +0000 (15:09 +0000)]
Update NEWS

Signed-off-by: Simon McVittie <smcv@collabora.com>
5 years agodbus-daemon test: Allow much longer for pending fd timeout
Simon McVittie [Tue, 23 Oct 2018 10:43:23 +0000 (11:43 +0100)]
dbus-daemon test: Allow much longer for pending fd timeout

The timeout we're using here is 0.5s (500ms), but the actual time taken
is unbounded, because the OS scheduler might not schedule our process
for an arbitrary length of time after we become runnable.

We previously allowed up to 1 second, but in the CI jobs for dbus!9
and dbus!18 we've seen this take up to 3.4 seconds (presumably
because other tests, or other jobs running on the same shared
infrastructure, starved this process). Allow up to 10 seconds to guard
against spurious failures.

The timeout used in the production system.conf is 150 seconds (2½
minutes), and we're only using the shorter 500ms timeout here to make
the test complete more quickly, so ±10 seconds is relatively
insignificant: the main thing is that it's finite.

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 20e6eb7cd1f9c2ad941bd62c8f1f71712377a96e)

5 years agobuild: Never use poll() on Darwin family (macOS, etc.) or Interix
Simon McVittie [Mon, 22 Oct 2018 10:45:45 +0000 (11:45 +0100)]
build: Never use poll() on Darwin family (macOS, etc.) or Interix

Doing a runtime check in configure.ac (AC_RUN_IFELSE) has several
disadvantages:

* It doesn't work when cross-compiling. For example, if we build macOS
  binaries on a Linux system, we'd assume that poll() works, but in
  fact it won't.

* It checks the build system capabilities, but that is not necessarily
  appropriate if (for example) a macOS 10.10 user builds binaries that
  could be used by macOS 10.12 or macOS 10.9 users.

* It checks for one specific failure mode, but macOS seems to have a
  history of various implementation issues in poll().

* If we want it to work in CMake, we have to duplicate it in the CMake
  build system.

None of these is a showstopper on its own, but the combination of all
of them makes the current approach to avoiding the broken poll() on
macOS look unreliable. libcurl, a widely-portable library making
extensive use of sockets, specifically doesn't use poll() on Darwin
(macOS, iOS, etc.) or on Interix; let's follow their example here.

See also https://bugzilla.gnome.org/show_bug.cgi?id=302672 and
https://daniel.haxx.se/blog/2016/10/11/poll-on-mac-10-12-is-broken/
for some relevant history.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Resolves: https://gitlab.freedesktop.org/dbus/dbus/issues/232
(cherry picked from commit 0414ea65ca8196e328da09c3a2324d7765fba8c4)

6 years agoUpdate NEWS
Simon McVittie [Fri, 5 Oct 2018 11:29:56 +0000 (12:29 +0100)]
Update NEWS

6 years agoci: Use a separate ccache for each CI job
Simon McVittie [Thu, 4 Oct 2018 17:41:29 +0000 (18:41 +0100)]
ci: Use a separate ccache for each CI job

This should avoid them overwriting each other.

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit e3fb085886d26aa84a0ce1bfe441244206c87e6f)

6 years agoci: Mark many Gitlab jobs to be run manually
Simon McVittie [Thu, 4 Oct 2018 16:26:42 +0000 (17:26 +0100)]
ci: Mark many Gitlab jobs to be run manually

freedesktop.org Gitlab doesn't currently have enough test runners
available to run all of this every time. For higher-risk changes
(for example those that change the build system) we can run the
complete set through the web UI.

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit a2f416c2896062755c285f2d1fe4a2dc03455aa1)

6 years agoci: Reshuffle mingw jobs so we test different combinations
Simon McVittie [Thu, 4 Oct 2018 16:04:41 +0000 (17:04 +0100)]
ci: Reshuffle mingw jobs so we test different combinations

We test the combinations that we don't test on Travis-CI.

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit a6d926b805a1a38567a70490b3e8d7d6c932d1f5)

6 years agoci: Use ccache to speed up repeated builds
Simon McVittie [Thu, 4 Oct 2018 09:50:37 +0000 (10:50 +0100)]
ci: Use ccache to speed up repeated builds

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit d0728fd06e5a2302e7596e3df56b68b0a0834fd7)

6 years agoci: Add Gitlab-CI configuration
Simon McVittie [Wed, 3 Oct 2018 16:25:43 +0000 (17:25 +0100)]
ci: Add Gitlab-CI configuration

This uses the same shell scripts as Travis-CI, with slightly different
settings. We use Docker containers for all our Gitlab-CI runs, so take
the opportunity to use Debian 9 'stretch' as our baseline, and
relegate Ubuntu 14.04 'trusty' to to a secondary build.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=108177
Acked-by: Philip Withnall <withnall@endlessm.com>
(cherry picked from commit 60933c09e9e891f74f0102fabe22d29a1a7ae5c5)

6 years agoci: Explicitly install cmake
Simon McVittie [Wed, 3 Oct 2018 16:51:35 +0000 (17:51 +0100)]
ci: Explicitly install cmake

Travis-CI workers have cmake preinstalled, but Gitlab-CI Docker images
typically don't.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=108177
Acked-by: Philip Withnall <withnall@endlessm.com>
(cherry picked from commit 907832e00849ca454322052981dbb122ea537506)

6 years agoci: Teach ci-install.sh to install wine on Debian 9 'stretch'
Simon McVittie [Wed, 3 Oct 2018 16:51:49 +0000 (17:51 +0100)]
ci: Teach ci-install.sh to install wine on Debian 9 'stretch'

Signed-off-by: Simon McVittie <smcv@collabora.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=108177
Acked-by: Philip Withnall <withnall@endlessm.com>
(cherry picked from commit 408b222a9fc61327cd7be385b6705f30f0c38802)

6 years agotravis-ci: Add cross building support for mingw 64 bit compiler
Ralf Habacker [Wed, 21 Mar 2018 10:48:52 +0000 (11:48 +0100)]
travis-ci: Add cross building support for mingw 64 bit compiler

Signed-off-by: Ralf Habacker <ralf.habacker@freenet.de>
Reviewed-by: Simon McVittie <smcv@collabora.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=105662
(cherry picked from commit d22e7901b555a0bfb5e06fb2463d839a276c7482)

6 years agosysdeps-win: Print word-size-dependent offset correctly
Ralf Habacker [Thu, 22 Mar 2018 14:05:48 +0000 (15:05 +0100)]
sysdeps-win: Print word-size-dependent offset correctly

AddrPC.Offset is the same size as a pointer, but previously
we printed it as though it was the same size as a long,
which is 32 bits on 64-bit Windows.

Reviewed-by: Simon McVittie <smcv@collabora.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=105662
(cherry picked from commit 577813cf3a89df804efa6d85a1c5415ba12806ec)

6 years agodbus-transport-socket: Correctly print DBusSocket with DBUS_SOCKET_FORMAT
Ralf Habacker [Wed, 21 Mar 2018 18:29:44 +0000 (19:29 +0100)]
dbus-transport-socket: Correctly print DBusSocket with DBUS_SOCKET_FORMAT

Previously, on 64-bit Windows we were passing a 32-bit int where the
format string expects a 64-bit SOCKET.

Reviewed-by: Simon McVittie <smcv@collabora.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=105662
(cherry picked from commit 18d4ff664491c17664b9f88c06d9338cd3750120)

6 years agoUpdate NEWS
Simon McVittie [Thu, 30 Aug 2018 16:35:36 +0000 (17:35 +0100)]
Update NEWS

6 years agoReference the freedesktop.org Code of Conduct
Simon McVittie [Wed, 22 Aug 2018 16:50:18 +0000 (17:50 +0100)]
Reference the freedesktop.org Code of Conduct

Signed-off-by: Simon McVittie <smcv@collabora.com>
6 years agoUpdate NEWS
Simon McVittie [Thu, 30 Aug 2018 16:34:45 +0000 (17:34 +0100)]
Update NEWS

6 years agoDo not apply __attribute__((__malloc__)) to dbus_realloc()
Simon McVittie [Thu, 23 Aug 2018 08:01:03 +0000 (09:01 +0100)]
Do not apply __attribute__((__malloc__)) to dbus_realloc()

As noted in GLib commit c879f50f, gcc's interpretation of the malloc
attribute has become more strict over time, which could result in
miscompilation. The new definition is that in addition to assuming
that the returned memory block is newly-allocated, gcc now assumes
that it does not contain any valid pointers. This is OK for
uninitialized or zero-initialized memory returned by dbus_malloc()
or dbus_malloc0(), but not valid for dbus_realloc(), which might be
used for a dynamically-sized array of (structures containing)
valid pointers.

See https://gitlab.gnome.org/GNOME/glib/issues/1465

Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=107741

6 years agoUpdate NEWS
Simon McVittie [Thu, 30 Aug 2018 15:27:46 +0000 (16:27 +0100)]
Update NEWS

6 years agoserver-unix: Don't leak address of systemd server on success
Simon McVittie [Tue, 24 Jul 2018 12:21:37 +0000 (13:21 +0100)]
server-unix: Don't leak address of systemd server on success

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=107320
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
(cherry picked from commit d98c43c697fbeb104463dcf2da36d0d855bfb367)

6 years agobus: Free address (from --address) when we have finished using it
Simon McVittie [Tue, 24 Jul 2018 12:18:48 +0000 (13:18 +0100)]
bus: Free address (from --address) when we have finished using it

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=107320
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
(cherry picked from commit 7ae750c4e887b2d63f87caaf2162125ec3217fcc)

6 years ago1.12.11
Simon McVittie [Fri, 3 Aug 2018 00:05:33 +0000 (01:05 +0100)]
1.12.11

6 years ago1.12.10 dbus-1.12.10
Simon McVittie [Thu, 2 Aug 2018 18:27:15 +0000 (19:27 +0100)]
1.12.10

6 years agoUpdate NEWS
Simon McVittie [Thu, 2 Aug 2018 18:24:00 +0000 (19:24 +0100)]
Update NEWS

6 years agovalidate_body_helper: Bounds-check before validating booleans
Simon McVittie [Thu, 12 Jul 2018 18:11:05 +0000 (19:11 +0100)]
validate_body_helper: Bounds-check before validating booleans

Running the "embedded tests" through valgrind revealed that before this
commit, we would have been willing to read up to 3 bytes off the end of
a message if the message is truncated part way through a boolean. Any
practical allocator will round up allocations to the next 32-bit (or
larger) boundary, so in practice this will not leave the memory buffer
(and in particular did not crash during unit testing), but it could read
uninitialized contents.

On little-endian CPUs, an attacker might be able to use this to learn
whether up to 3 bytes of uninitialized memory in the dbus-daemon
were all-zero (their crafted message would be relayed) or not (their
connection would be disconnected for sending an invalid message). On
big-endian CPUs, an attacker might be able to use this to learn whether
up to 3 bytes were all-zeroes (relayed to a cooperating peer), 0-2
bytes of all-zeroes followed by 0x01 (relayed to a cooperating peer),
or something else (disconnected). This is not believed to be exploitable
to leak interesting information.

Fixes: 62e46533 "hardcode dbus_bool_t to 32 bits"
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=107332
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Thiago Macieira <thiago@kde.org>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
(cherry picked from commit e93a775e68daeda5c95984452aee6327e31c17dd)

6 years agoUpdate NEWS
Simon McVittie [Thu, 2 Aug 2018 16:19:26 +0000 (17:19 +0100)]
Update NEWS

6 years agononce: Don't try to rmdir(NULL) on OOM
Simon McVittie [Thu, 12 Jul 2018 12:32:10 +0000 (13:32 +0100)]
nonce: Don't try to rmdir(NULL) on OOM

If re-initializing the string fails, it will be left in a state
where it has a length of 0 and a NULL buffer. That's valid to
"free", but not valid to pass to rmdir().

Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=107194
(cherry picked from commit 294e8b0b672c8ffdcb8d9227f114846433659864)

6 years agodbus_server_listen: Don't leak first_connect_error
Simon McVittie [Wed, 11 Jul 2018 15:16:38 +0000 (16:16 +0100)]
dbus_server_listen: Don't leak first_connect_error

If an implementation fails to listen, and a subsequent implementation
succeeds, then we would have leaked this. Detected by running
tests/loopback.c under valgrind.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=107194
(cherry picked from commit b14a4517a82f7e7e4c0b59cb663ebf77563decda)

6 years agosysdeps: Reassure gcc 8 that we are not overflowing struct sockaddr_un
Simon McVittie [Mon, 23 Jul 2018 17:52:01 +0000 (18:52 +0100)]
sysdeps: Reassure gcc 8 that we are not overflowing struct sockaddr_un

Using strncpy (buffer, str, strlen (str)) is a "code smell" that
might indicate a serious bug (it effectively turns strncpy into
strcpy), and gcc 8 now warns about it. In fact we avoided the bug
here, but it wasn't at all obvious.

We already checked that path_len is less than or equal to
_DBUS_MAX_SUN_PATH_LENGTH, which is 99, chosen to be strictly less
than the POSIX minimum sizeof(sun_path) >= 100, so we couldn't
actually be overflowing the available buffer.

The new static assertion in this commit matches a comment above the
definition of _DBUS_MAX_SUN_PATH_LENGTH: we define
_DBUS_MAX_SUN_PATH_LENGTH to 99, because POSIX says struct
sockaddr_un's sun_path member is at least 100 bytes (including space
for a \0 terminator). dbus will now fail to compile on
platforms that are non-POSIX-compliant in this way, except for Windows.

We zeroed the struct sockaddr_un before writing into it, so stopping
one byte short of the end of sun_path ensures that we get \0
termination.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=107350
Reviewed-by: Thiago Macieira <thiago@kde.org>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
(cherry picked from commit f429631365ba59a1749438af2184cab138a31772)

6 years agobuild: Disable new gcc 8 warning -Wcast-function-type
Simon McVittie [Mon, 23 Jul 2018 17:20:54 +0000 (18:20 +0100)]
build: Disable new gcc 8 warning -Wcast-function-type

The foreach(list, (DBusForeachFunction) free, NULL) idiom seems too
entrenched to remove it from stable branches.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=107349
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Thiago Macieira <thiago@kde.org>