diff options
| author |   Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2018-08-11 08:32:20 +0200 |
|---|---|---|
| committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2018-10-02 11:53:20 +0200 |
| commit | 73777ddba5100fe6c0791cd37a91f24a515f3202 (patch) | |
| tree | 601fd142d1bc2e68f1ea0cc6f893a6987242819d /src/libsystemd/sd-bus/bus-message.c | |
| parent | bus-message: output debug information about offset troubles (diff) | |
| download | systemd-73777ddba5100fe6c0791cd37a91f24a515f3202.tar.gz systemd-73777ddba5100fe6c0791cd37a91f24a515f3202.tar.bz2 systemd-73777ddba5100fe6c0791cd37a91f24a515f3202.zip | |
bus-message: fix skipping of array fields in !gvariant messages
We copied part of the string into a buffer that was off by two.
If the element signature had length one, we'd copy 0 bytes and crash when
looking at the "first" byte. Otherwise, we would crash because strncpy would
not terminate the string.
Diffstat (limited to 'src/libsystemd/sd-bus/bus-message.c')
| -rw-r--r-- | src/libsystemd/sd-bus/bus-message.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/src/libsystemd/sd-bus/bus-message.c b/src/libsystemd/sd-bus/bus-message.c index 7fb48cb33..b1d89fddc 100644 --- a/src/libsystemd/sd-bus/bus-message.c +++ b/src/libsystemd/sd-bus/bus-message.c @@ -4958,18 +4958,18 @@ static int message_skip_fields( } else if (t == SD_BUS_TYPE_ARRAY) { - r = signature_element_length(*signature+1, &l); + r = signature_element_length(*signature + 1, &l); if (r < 0) return r; assert(l >= 1); { - char sig[l-1], *s; + char sig[l + 1], *s = sig; uint32_t nas; int alignment; - strncpy(sig, *signature + 1, l-1); - s = sig; + strncpy(sig, *signature + 1, l); + sig[l] = '\0'; alignment = bus_type_get_alignment(sig[0]); if (alignment < 0) |