chiark / gitweb /
kdbus: fix buffer overflow in bus_get_owner_kdbus() function
authorLukasz Skalski <l.skalski@samsung.com>
Fri, 10 Oct 2014 10:29:04 +0000 (12:29 +0200)
committerDaniel Mack <daniel@zonque.org>
Fri, 10 Oct 2014 10:44:31 +0000 (12:44 +0200)
Commit 710fc9779b7c (kdbus repo) introduced attaching items[]
instead of name[] in kdbus_cmd_conn_info struct. Commit 581fe6c81
(systemd repo) caught up with this change, but item size was not
properly calculated.

src/libsystemd/sd-bus/bus-control.c

index dbd94fc..7b106a3 100644 (file)
@@ -398,7 +398,7 @@ static int bus_get_owner_kdbus(
         struct kdbus_cmd_conn_info *cmd;
         struct kdbus_conn_info *conn_info;
         struct kdbus_item *item;
-        size_t size;
+        size_t size, l;
         uint64_t m, id;
         int r;
 
@@ -410,13 +410,12 @@ static int bus_get_owner_kdbus(
                 cmd = alloca0_align(size, 8);
                 cmd->id = id;
         } else {
-                size_t item_size = KDBUS_ITEM_HEADER_SIZE + strlen(name) + 1;
-
-                size = offsetof(struct kdbus_cmd_conn_info, items) + item_size;
+                l = strlen(name) + 1;
+                size = offsetof(struct kdbus_cmd_conn_info, items) + KDBUS_ITEM_SIZE(l);
                 cmd = alloca0_align(size, 8);
-                cmd->items[0].size = item_size;
+                cmd->items[0].size = KDBUS_ITEM_HEADER_SIZE + l;
                 cmd->items[0].type = KDBUS_ITEM_NAME;
-                strcpy(cmd->items[0].str, name);
+                memcpy(cmd->items[0].str, name, l);
         }
 
         cmd->size = size;