From 25220239990c7859a65160d63277105d0c1de8a8 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 21 Mar 2013 23:20:25 +0100
Subject: [PATCH] bus: enforce limits on all client influenced data objects

---
 src/libsystemd-bus/bus-internal.h |  6 ++++++
 src/libsystemd-bus/sd-bus.c       | 21 +++++++++++++++++----
 src/libsystemd-bus/sd-bus.h       |  2 --
 3 files changed, 23 insertions(+), 6 deletions(-)

diff --git a/src/libsystemd-bus/bus-internal.h b/src/libsystemd-bus/bus-internal.h
index 9e4cf16b7..b0e97915c 100644
--- a/src/libsystemd-bus/bus-internal.h
+++ b/src/libsystemd-bus/bus-internal.h
@@ -110,3 +110,9 @@ static inline void bus_unrefp(sd_bus **b) {
 #define _cleanup_bus_unref_ __attribute__((cleanup(bus_unrefp)))
 
 #define BUS_DEFAULT_TIMEOUT ((usec_t) (25 * USEC_PER_SEC))
+
+#define BUS_WQUEUE_MAX 128
+#define BUS_RQUEUE_MAX 128
+
+#define BUS_MESSAGE_SIZE_MAX (64*1024*1024)
+#define BUS_AUTH_SIZE_MAX (64*1024)
diff --git a/src/libsystemd-bus/sd-bus.c b/src/libsystemd-bus/sd-bus.c
index ad840cc87..1dd234d61 100644
--- a/src/libsystemd-bus/sd-bus.c
+++ b/src/libsystemd-bus/sd-bus.c
@@ -35,8 +35,6 @@
 #include "bus-message.h"
 #include "bus-type.h"
 
-#define WQUEUE_MAX 128
-
 static int bus_poll(sd_bus *bus, bool need_more, uint64_t timeout_usec);
 
 static void bus_free(sd_bus *b) {
@@ -495,6 +493,13 @@ static int bus_read_auth(sd_bus *b) {
                 return r;
 
         n = MAX(3 + 32 + 2 + sizeof("AGREE_UNIX_FD") - 1 + 2, b->rbuffer_size * 2);
+
+        if (n > BUS_AUTH_SIZE_MAX)
+                n = BUS_AUTH_SIZE_MAX;
+
+        if (b->rbuffer_size >= n)
+                return -ENOBUFS;
+
         p = realloc(b->rbuffer, n);
         if (!p)
                 return -ENOMEM;
@@ -845,6 +850,7 @@ static int message_write(sd_bus *bus, sd_bus_message *m, size_t *idx) {
 static int message_read_need(sd_bus *bus, size_t *need) {
         uint32_t a, b;
         uint8_t e;
+        uint64_t sum;
 
         assert(bus);
         assert(need);
@@ -885,7 +891,11 @@ static int message_read_need(sd_bus *bus, size_t *need) {
         } else
                 return -EBADMSG;
 
-        *need = sizeof(struct bus_header) + ALIGN_TO(b, 8) + a;
+        sum = (uint64_t) sizeof(struct bus_header) + (uint64_t) ALIGN_TO(b, 8) + (uint64_t) a;
+        if (sum >= BUS_MESSAGE_SIZE_MAX)
+                return -ENOBUFS;
+
+        *need = (size_t) sum;
         return 0;
 }
 
@@ -1093,7 +1103,7 @@ int sd_bus_send(sd_bus *bus, sd_bus_message *m, uint64_t *serial) {
 
                 /* Just append it to the queue. */
 
-                if (bus->wqueue_size >= WQUEUE_MAX)
+                if (bus->wqueue_size >= BUS_WQUEUE_MAX)
                         return -ENOBUFS;
 
                 q = realloc(bus->wqueue, sizeof(sd_bus_message*) * (bus->wqueue_size + 1));
@@ -1300,6 +1310,9 @@ int sd_bus_send_with_reply_and_block(
                 if (!room) {
                         sd_bus_message **q;
 
+                        if (bus->rqueue_size >= BUS_RQUEUE_MAX)
+                                return -ENOBUFS;
+
                         /* Make sure there's room for queuing this
                          * locally, before we read the message */
 
diff --git a/src/libsystemd-bus/sd-bus.h b/src/libsystemd-bus/sd-bus.h
index a759f54f3..1d7bfa86b 100644
--- a/src/libsystemd-bus/sd-bus.h
+++ b/src/libsystemd-bus/sd-bus.h
@@ -38,8 +38,6 @@
  * - add object handlers
  * - add peer message handlers
  * - verify object paths
- * - when reading a message, verify its size
- * - add limits to wqueue and rqueue alike
  */
 
 typedef struct sd_bus sd_bus;
-- 
2.30.2