gdbusmessage: Add more bounds checking when parsing D-Bus messages (!2355) · Merge requests · GNOME / GLib

Philip Withnall requested to merge 2528-dbus-message-truncation into main Nov 23, 2021

Perform strict bounds checking when reading data from the D-Bus message, and propagate errors to the callers.

Previously, truncated D-Bus messages could cause out-of-bounds reads.

This is a security issue, but one which is only exploitable when communicating with an untrusted peer (who might send malicious messages). Almost all D-Bus traffic is with a session or system bus, where the dbus-daemon or dbus-broker is trusted, and is known to have already rejected malformed (malicious) messages.

Accordingly, this is only exploitable with peer-to-peer D-Bus conversations with an untrusted peer.

(Includes some minor cleanups from Philip Withnall.)

oss-fuzz#17408 Fixes: #2528 (closed)

Closes #2528 (closed)

gdbusmessage: Add more bounds checking when parsing D-Bus messages

Merge request reports