bus: enforce limits on all client influenced data objects

diff --git a/src/libsystemd-bus/bus-internal.h b/src/libsystemd-bus/bus-internal.h
index 9e4cf16b7f84aa118a12d45f6b1fc738b6036d2b..b0e97915ccdf7e846bfd531d9f5d2aac2dc4f139 100644 (file)
--- a/src/libsystemd-bus/bus-internal.h
+++ b/src/libsystemd-bus/bus-internal.h
@@ -110,3 +110,9 @@ static inline void bus_unrefp(sd_bus **b) {
 #define _cleanup_bus_unref_ __attribute__((cleanup(bus_unrefp)))
 
 #define BUS_DEFAULT_TIMEOUT ((usec_t) (25 * USEC_PER_SEC))
+
+#define BUS_WQUEUE_MAX 128
+#define BUS_RQUEUE_MAX 128
+
+#define BUS_MESSAGE_SIZE_MAX (64*1024*1024)
+#define BUS_AUTH_SIZE_MAX (64*1024)

diff --git a/src/libsystemd-bus/sd-bus.c b/src/libsystemd-bus/sd-bus.c
index ad840cc875c6e4bf87ab072435f8b620a58527b1..1dd234d61b8e625731da5cf8e4ae7c47775ce472 100644 (file)
--- a/src/libsystemd-bus/sd-bus.c
+++ b/src/libsystemd-bus/sd-bus.c
@@ -35,8 +35,6 @@
 #include "bus-message.h"
 #include "bus-type.h"
 
-#define WQUEUE_MAX 128
-
 static int bus_poll(sd_bus *bus, bool need_more, uint64_t timeout_usec);
 
 static void bus_free(sd_bus *b) {
@@ -495,6 +493,13 @@ static int bus_read_auth(sd_bus *b) {
                 return r;
 
         n = MAX(3 + 32 + 2 + sizeof("AGREE_UNIX_FD") - 1 + 2, b->rbuffer_size * 2);
+
+        if (n > BUS_AUTH_SIZE_MAX)
+                n = BUS_AUTH_SIZE_MAX;
+
+        if (b->rbuffer_size >= n)
+                return -ENOBUFS;
+
         p = realloc(b->rbuffer, n);
         if (!p)
                 return -ENOMEM;
@@ -845,6 +850,7 @@ static int message_write(sd_bus *bus, sd_bus_message *m, size_t *idx) {
 static int message_read_need(sd_bus *bus, size_t *need) {
         uint32_t a, b;
         uint8_t e;
+        uint64_t sum;
 
         assert(bus);
         assert(need);
@@ -885,7 +891,11 @@ static int message_read_need(sd_bus *bus, size_t *need) {
         } else
                 return -EBADMSG;
 
-        *need = sizeof(struct bus_header) + ALIGN_TO(b, 8) + a;
+        sum = (uint64_t) sizeof(struct bus_header) + (uint64_t) ALIGN_TO(b, 8) + (uint64_t) a;
+        if (sum >= BUS_MESSAGE_SIZE_MAX)
+                return -ENOBUFS;
+
+        *need = (size_t) sum;
         return 0;
 }
 
@@ -1093,7 +1103,7 @@ int sd_bus_send(sd_bus *bus, sd_bus_message *m, uint64_t *serial) {
 
                 /* Just append it to the queue. */
 
-                if (bus->wqueue_size >= WQUEUE_MAX)
+                if (bus->wqueue_size >= BUS_WQUEUE_MAX)
                         return -ENOBUFS;
 
                 q = realloc(bus->wqueue, sizeof(sd_bus_message*) * (bus->wqueue_size + 1));
@@ -1300,6 +1310,9 @@ int sd_bus_send_with_reply_and_block(
                 if (!room) {
                         sd_bus_message **q;
 
+                        if (bus->rqueue_size >= BUS_RQUEUE_MAX)
+                                return -ENOBUFS;
+
                         /* Make sure there's room for queuing this
                          * locally, before we read the message */
 

diff --git a/src/libsystemd-bus/sd-bus.h b/src/libsystemd-bus/sd-bus.h
index a759f54f3e1f82f94b71bf72eedda974d10eabcb..1d7bfa86b8b77a64f026a5e2d1aad2a924bef6f9 100644 (file)
--- a/src/libsystemd-bus/sd-bus.h
+++ b/src/libsystemd-bus/sd-bus.h
@@ -38,8 +38,6 @@
  * - add object handlers
  * - add peer message handlers
  * - verify object paths
- * - when reading a message, verify its size
- * - add limits to wqueue and rqueue alike
  */
 
 typedef struct sd_bus sd_bus;