dbus-marshal-validate: Validate length of arrays of fixed-length items

This fast-path previously did not check that the array was made up of an integer number of items. This could lead to assertion failures and out-of-bounds accesses during subsequent message processing (which assumes that the message has already been validated), particularly after the addition of _dbus_header_remove_unknown_fields(), which makes it more likely that dbus-daemon will apply non-trivial edits to messages. Thanks: Evgeny Vereshchagin Fixes: e61f13cf "Bug 18064 - more efficient validation for fixed-size type arrays" Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/413 Resolves: CVE-2022-42011 Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit 079bbf1618) (cherry picked from commit b9e6a75230)
2026-02-04 16:30:35 +01:00 · 2022-09-12 13:14:18 +01:00 · 2022-09-12 13:14:18 +01:00 · 3b8a7aff22
commit 3b8a7aff22
parent 35d12acb0e
1 changed files with 12 additions and 1 deletions
--- a/dbus/dbus-marshal-validate.c
+++ b/dbus/dbus-marshal-validate.c
@ -503,13 +503,24 @@ validate_body_helper (DBusTypeReader       *reader,
                 */ 
                if (dbus_type_is_fixed (array_elem_type))
                  {
+                    /* Note that fixed-size types all have sizes equal to
+                     * their alignments, so this is really the item size. */
+                    alignment = _dbus_type_get_alignment (array_elem_type);
+                    _dbus_assert (alignment == 1 || alignment == 2 ||
+                                  alignment == 4 || alignment == 8);
+
+                    /* Because the alignment is a power of 2, this is
+                     * equivalent to: (claimed_len % alignment) != 0,
+                     * but avoids slower integer division */
+                    if ((claimed_len & (alignment - 1)) != 0)
+                      return DBUS_INVALID_ARRAY_LENGTH_INCORRECT;
+
                    /* bools need to be handled differently, because they can
                     * have an invalid value
                     */
                    if (array_elem_type == DBUS_TYPE_BOOLEAN)
                      {
                        dbus_uint32_t v;
-                        alignment = _dbus_type_get_alignment (array_elem_type);

                        while (p < array_end)
                          {