From f5a174649bd32a29e734b5687524f5677f82c36a Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Fri, 30 Sep 2022 14:01:05 +0100 Subject: [PATCH] test: Parse a message with a byteswapped Unix fd index Reproduces: https://gitlab.freedesktop.org/dbus/dbus/-/issues/417 Signed-off-by: Simon McVittie (cherry picked from commit bef693f442d854505e7013fd31efe41747d7493c) [backport to 1.14.x: discard Meson build system updates] (cherry picked from commit 71dd3ad20cf8aca3310fa8d533801fb1d8bdaf1a) [backport to 1.12.x: resolve conflicts in Autotools build system] --- test/Makefile.am | 2 + .../valid-messages/byteswap-fd-index.message-raw | Bin 0 -> 36 bytes .../byteswap-fd-index.message-raw.hex | 43 +++++++++++++++++++++ test/message.c | 1 + 4 files changed, 46 insertions(+) create mode 100644 test/data/valid-messages/byteswap-fd-index.message-raw create mode 100644 test/data/valid-messages/byteswap-fd-index.message-raw.hex diff --git a/test/Makefile.am b/test/Makefile.am index 99d6485..3bbf7f7 100644 --- a/test/Makefile.am +++ b/test/Makefile.am @@ -548,6 +548,8 @@ static_data = \ data/valid-config-files-system/many-rules.conf \ data/valid-config-files-system/system.d/test.conf \ data/valid-messages/array-of-array-of-uint32.message \ + data/valid-messages/byteswap-fd-index.message-raw \ + data/valid-messages/byteswap-fd-index.message-raw.hex \ data/valid-messages/dict-simple.message \ data/valid-messages/dict.message \ data/valid-messages/emptiness.message \ diff --git a/test/data/valid-messages/byteswap-fd-index.message-raw b/test/data/valid-messages/byteswap-fd-index.message-raw new file mode 100644 index 0000000000000000000000000000000000000000..a1724ff8c4ce450205aa81f1ed63b2d7a2ef9a33 GIT binary patch literal 36 pcmZ?LHDqL9VBnd)XM!@2=HOsVXJE=GWB8%L#KDwU1{7jo004Gr1`hxL literal 0 HcmV?d00001 diff --git a/test/data/valid-messages/byteswap-fd-index.message-raw.hex b/test/data/valid-messages/byteswap-fd-index.message-raw.hex new file mode 100644 index 0000000..f3d0f91 --- /dev/null +++ b/test/data/valid-messages/byteswap-fd-index.message-raw.hex @@ -0,0 +1,43 @@ +# Copyright 2022 Evgeny Vereshchagin +# Copyright 2022 Collabora Ltd. +# SPDX-License-Identifier: MIT +# +# This is an annotated hex-dump of a message originally generated by a +# fuzzer. +# +# To output as binary: +# sed -e 's/#.*//' test/data/invalid-messages/endian.message-raw.hex | +# xxd -p -r - test/data/invalid-messages/endian.message-raw +# +# This message is technically valid, but not practically useful: it +# contains a "handle" for the 4163371528th out-of-band file descriptor, +# which is not a practically useful thing to send, because it exceeds any +# reasonable number of file descriptors to attach to a message. +# +# The message is also in big-endian encoding (the opposite of the encoding +# used by all commonly-used CPU architectures in 2022), which until +# recently would trigger a denial-of-service vulnerability in the dbus +# message marshalling code. + +# Offset % 0x10: +# 0001 0203 0405 0607 0809 0a0b 0c0d 0e0f + + 42 # big-endian + 2d # an undefined message type + 31 # flags + 01 # major protocol version 1 + 0000 000c # message body is 0x0c = 12 bytes + 97bc 9023 # serial number 0x97bc9023 + 0000 0008 # header is an array of 8 bytes of struct (yv) + 08 # header field code 0x08 (signature) + 01 # variant signature is 1 byte + 6700 # "g" \0 + 02 # signature is 2 bytes + 68 7600 # "hv" \0 + # begin message body, 12 bytes + f828 0208 # out-of-band fd, index = 0xf8280208 + 02 # variant signature is 2 bytes + 61 7600 # "av" \0 + 0000 0000 # array length is 0 + +#sha1 f99a286aaaf84d9b97549f35f71042f4a2f37e78 diff --git a/test/message.c b/test/message.c index 887935d..5204910 100644 --- a/test/message.c +++ b/test/message.c @@ -512,6 +512,7 @@ add_oom_test (const gchar *name, static const char *valid_messages[] = { + "byteswap-fd-index", "minimal", }; -- 2.7.4