Backport !2355 “gdbusmessage: Add more bounds checking when parsing D-Bus messages” to glib-2-70 (!2356) · Merge requests · GNOME / GLib

Philip Withnall requested to merge pwithnall/glib:backport-2355-dbus-message-truncation-glib-2-70 into glib-2-70 Nov 23, 2021

Perform strict bounds checking when reading data from the D-Bus message, and propagate errors to the callers.

Previously, truncated D-Bus messages could cause out-of-bounds reads.

This is a security issue, but one which is only exploitable when communicating with an untrusted peer (who might send malicious messages). Almost all D-Bus traffic is with a session or system bus, where the dbus-daemon or dbus-broker is trusted, and is known to have already rejected malformed (malicious) messages.

Accordingly, this is only exploitable with peer-to-peer D-Bus conversations with an untrusted peer.

(Includes some minor cleanups from Philip Withnall.)

oss-fuzz#17408 Fixes: #2528 (closed)

Trivial backport of !2355 (merged) to glib-2-70.

Backport !2355 “gdbusmessage: Add more bounds checking when parsing D-Bus messages” to glib-2-70

Merge request reports