gdbusmessage: Disallow zero-length elements in arrays

They are not allowed in the specification, and can lead to infinite loops when parsing. That’s a security issue if your application is accepting D-Bus messages from untrusted peers (perhaps in a peer-to-peer connection). It’s not exploitable when your application is connected to a bus (such as the system or session buses), as the bus daemons (dbus-daemon or dbus-broker) filter out such broken messages and don’t forward them. Arrays of zero-length elements are disallowed in the D-Bus specification: https://dbus.freedesktop.org/doc/dbus-specification.html#container-types oss-fuzz#41428, #41435 Fixes: #2557
2025-03-29 02:50:04 +01:00 · 2022-01-06 20:57:49 +00:00 · 2022-01-06 20:57:49 +00:00 · c74177337d
commit c74177337d
parent 6499ad5356
1 changed files with 10 additions and 0 deletions
--- a/gio/gdbusmessage.c
+++ b/gio/gdbusmessage.c
@ -1839,6 +1839,16 @@ parse_value_from_blob (GMemoryBuffer       *buf,
                        }
                      g_variant_builder_add_value (&builder, item);
                      g_variant_unref (item);
+
+                      /* Array elements must not be zero-length. There are no
+                       * valid zero-length serialisations of any types which
+                       * can be array elements in the D-Bus wire format, so this
+                       * assertion should always hold.
+                       *
+                       * See https://gitlab.gnome.org/GNOME/glib/-/issues/2557
+                       */
+                      g_assert (buf->pos > (gsize) offset);
+
                      offset = buf->pos;
                    }
                }