mirror of
https://gitlab.gnome.org/GNOME/glib.git
synced 2025-01-25 21:46:14 +01:00
gdbusmessage: Gracefully handle message signatures with invalid types
With the changes to limit GVariant type nesting (commit 7c4e6e9fbe
),
it’s now possible to have a valid type signature which is not a valid
GVariant type when enclosed in parentheses (to make it a tuple).
Check for that when parsing the signature field in a D-Bus message.
Includes a unit test.
oss-fuzz#11120
Signed-off-by: Philip Withnall <withnall@endlessm.com>
This commit is contained in:
parent
a72766bb9c
commit
0ff5e5cd32
@ -2148,18 +2148,20 @@ g_dbus_message_new_from_blob (guchar *blob,
|
|||||||
else if (signature_str_len > 0)
|
else if (signature_str_len > 0)
|
||||||
{
|
{
|
||||||
GVariantType *variant_type;
|
GVariantType *variant_type;
|
||||||
gchar *tupled_signature_str;
|
gchar *tupled_signature_str = g_strdup_printf ("(%s)", signature_str);
|
||||||
|
|
||||||
if (!g_variant_is_signature (signature_str))
|
if (!g_variant_is_signature (signature_str) ||
|
||||||
|
!g_variant_type_string_is_valid (tupled_signature_str))
|
||||||
{
|
{
|
||||||
g_set_error (error,
|
g_set_error (error,
|
||||||
G_IO_ERROR,
|
G_IO_ERROR,
|
||||||
G_IO_ERROR_INVALID_ARGUMENT,
|
G_IO_ERROR_INVALID_ARGUMENT,
|
||||||
_("Parsed value “%s” is not a valid D-Bus signature (for body)"),
|
_("Parsed value “%s” is not a valid D-Bus signature (for body)"),
|
||||||
signature_str);
|
signature_str);
|
||||||
|
g_free (tupled_signature_str);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
tupled_signature_str = g_strdup_printf ("(%s)", signature_str);
|
|
||||||
variant_type = g_variant_type_new (tupled_signature_str);
|
variant_type = g_variant_type_new (tupled_signature_str);
|
||||||
g_free (tupled_signature_str);
|
g_free (tupled_signature_str);
|
||||||
#ifdef DEBUG_SERIALIZER
|
#ifdef DEBUG_SERIALIZER
|
||||||
|
@ -1205,6 +1205,64 @@ test_message_parse_multiple_signature_header (void)
|
|||||||
|
|
||||||
/* ---------------------------------------------------------------------------------------------------- */
|
/* ---------------------------------------------------------------------------------------------------- */
|
||||||
|
|
||||||
|
/* Test that an invalid header in a D-Bus message (specifically, containing a
|
||||||
|
* variant with a valid type signature that is too long to be a valid
|
||||||
|
* #GVariantType due to exceeding the array nesting limits) is gracefully
|
||||||
|
* handled with an error rather than a crash. The set of bytes here come
|
||||||
|
* directly from fuzzer output. */
|
||||||
|
static void
|
||||||
|
test_message_parse_over_long_signature_header (void)
|
||||||
|
{
|
||||||
|
const guint8 data[] = {
|
||||||
|
'l', /* little-endian byte order */
|
||||||
|
0x20, /* message type */
|
||||||
|
0x20, /* message flags */
|
||||||
|
0x01, /* major protocol version */
|
||||||
|
0x20, 0x20, 0x20, 0x01, /* body length (invalid) */
|
||||||
|
0x20, 0x20, 0x20, 0x20, /* message serial */
|
||||||
|
/* a{yv} of header fields:
|
||||||
|
* (things start to be even more invalid below here) */
|
||||||
|
0x20, 0x00, 0x00, 0x00, /* array length (in bytes) */
|
||||||
|
0x08, /* array key */
|
||||||
|
/* Variant array value: */
|
||||||
|
0x04, /* signature length */
|
||||||
|
'g', 0x00, 0x20, 0x20, /* one complete type plus some rubbish */
|
||||||
|
0x00, /* nul terminator */
|
||||||
|
/* (Variant array value payload) */
|
||||||
|
/* Critically, this contains 128 nested ‘a’s, which exceeds
|
||||||
|
* %G_VARIANT_MAX_RECURSION_DEPTH. */
|
||||||
|
0xec,
|
||||||
|
'a', 'b', 'g', 'd', 'u', 'd', 'd', 'd', 'd', 'd', 'd', 'd',
|
||||||
|
'd', 'd', 'd',
|
||||||
|
'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a',
|
||||||
|
'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a',
|
||||||
|
'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a',
|
||||||
|
'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a',
|
||||||
|
'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a',
|
||||||
|
'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a',
|
||||||
|
'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a',
|
||||||
|
'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a',
|
||||||
|
'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a',
|
||||||
|
'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a',
|
||||||
|
'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a',
|
||||||
|
'v'
|
||||||
|
/* (message body length missing) */
|
||||||
|
};
|
||||||
|
gsize size = sizeof (data);
|
||||||
|
GDBusMessage *message = NULL;
|
||||||
|
GError *local_error = NULL;
|
||||||
|
|
||||||
|
message = g_dbus_message_new_from_blob ((guchar *) data, size,
|
||||||
|
G_DBUS_CAPABILITY_FLAGS_NONE,
|
||||||
|
&local_error);
|
||||||
|
g_assert_error (local_error, G_IO_ERROR, G_IO_ERROR_INVALID_ARGUMENT);
|
||||||
|
g_assert_null (message);
|
||||||
|
|
||||||
|
g_clear_error (&local_error);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* ---------------------------------------------------------------------------------------------------- */
|
||||||
|
|
||||||
int
|
int
|
||||||
main (int argc,
|
main (int argc,
|
||||||
char *argv[])
|
char *argv[])
|
||||||
@ -1230,6 +1288,8 @@ main (int argc,
|
|||||||
test_message_parse_empty_signature_header);
|
test_message_parse_empty_signature_header);
|
||||||
g_test_add_func ("/gdbus/message-parse/multiple-signature-header",
|
g_test_add_func ("/gdbus/message-parse/multiple-signature-header",
|
||||||
test_message_parse_multiple_signature_header);
|
test_message_parse_multiple_signature_header);
|
||||||
|
g_test_add_func ("/gdbus/message-parse/over-long-signature-header",
|
||||||
|
test_message_parse_over_long_signature_header);
|
||||||
|
|
||||||
return g_test_run();
|
return g_test_run();
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user