1 Star 0 Fork 49

李双全/systemd

forked from src-anolis-os/systemd 
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
文件
该仓库未声明开源许可证文件(LICENSE),使用请关注具体项目描述及其代码上游依赖。
克隆/下载
0169-bus-message-fix-calculation-of-offsets-table-for-arr.patch 3.20 KB
一键复制 编辑 原始数据 按行查看 历史
张彬琛 提交于 2021-01-20 13:59 . import systemd-239-29.el8.src.rpm
From 871bb5457c5951870d447f53c976a1a1f2dac85d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Fri, 3 Aug 2018 14:46:57 +0200
Subject: [PATCH] bus-message: fix calculation of offsets table for arrays
This is similar to the grandparent commit 'fix calculation of offsets table',
except that now the change is for array elements. Same story as before: we need
to make sure that the offsets increase enough taking alignment into account.
While at it, rename 'p' to 'previous' to match similar code in other places.
(cherry picked from commit f88214cf9d66c93f4d22c4c8980de9ee3ff45bab)
Resolves: #1696224
---
src/libsystemd/sd-bus/bus-message.c | 17 ++++++++++++-----
...sh-d8f3941c74219b4c03532c9b244d5ea539c61af5 | Bin 0 -> 41 bytes
2 files changed, 12 insertions(+), 5 deletions(-)
create mode 100644 test/fuzz/fuzz-bus-message/crash-d8f3941c74219b4c03532c9b244d5ea539c61af5
diff --git a/src/libsystemd/sd-bus/bus-message.c b/src/libsystemd/sd-bus/bus-message.c
index c8f7937102..ac823aaf58 100644
--- a/src/libsystemd/sd-bus/bus-message.c
+++ b/src/libsystemd/sd-bus/bus-message.c
@@ -3532,7 +3532,7 @@ static int bus_message_enter_array(
size_t rindex;
void *q;
- int r, alignment;
+ int r;
assert(m);
assert(c);
@@ -3558,6 +3558,7 @@ static int bus_message_enter_array(
if (!BUS_MESSAGE_IS_GVARIANT(m)) {
/* dbus1 */
+ int alignment;
r = message_peek_body(m, &rindex, 4, 4, &q);
if (r < 0)
@@ -3591,7 +3592,8 @@ static int bus_message_enter_array(
*n_offsets = 0;
} else {
- size_t where, p = 0, framing, sz;
+ size_t where, previous = 0, framing, sz;
+ int alignment;
unsigned i;
/* gvariant: variable length array */
@@ -3619,17 +3621,22 @@ static int bus_message_enter_array(
if (!*offsets)
return -ENOMEM;
+ alignment = bus_gvariant_get_alignment(c->signature);
+ assert(alignment > 0);
+
for (i = 0; i < *n_offsets; i++) {
- size_t x;
+ size_t x, start;
+
+ start = ALIGN_TO(previous, alignment);
x = bus_gvariant_read_word_le((uint8_t*) q + i * sz, sz);
if (x > c->item_size - sz)
return -EBADMSG;
- if (x < p)
+ if (x < start)
return -EBADMSG;
(*offsets)[i] = rindex + x;
- p = x;
+ previous = x;
}
*item_size = (*offsets)[0] - rindex;
diff --git a/test/fuzz/fuzz-bus-message/crash-d8f3941c74219b4c03532c9b244d5ea539c61af5 b/test/fuzz/fuzz-bus-message/crash-d8f3941c74219b4c03532c9b244d5ea539c61af5
new file mode 100644
index 0000000000000000000000000000000000000000..26262e1149825a114a89bf9cee5aeca0be463984
GIT binary patch
literal 41
rcmd1#|DTC5gMmSS0SHWtIT#p03<d^9CI$wL#Kgo*AWlro&=ddwoTCSm
literal 0
HcmV?d00001
Loading...
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化
1
https://gitee.com/shqli/systemd.git
git@gitee.com:shqli/systemd.git
shqli
systemd
systemd
a8

搜索帮助

0d507c66 1850385 C8b1a773 1850385