test: Parse a message with a byteswapped Unix fd index

Reproduces: https://gitlab.freedesktop.org/dbus/dbus/-/issues/417 Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit bef693f442) [backport to 1.14.x: discard Meson build system updates]
2026-01-30 18:40:25 +01:00 · 2022-09-30 14:01:05 +01:00 · 2022-09-30 14:01:05 +01:00 · 71dd3ad20c
commit 71dd3ad20c
parent 7a8f3c2af9
4 changed files with 46 additions and 0 deletions
--- a/test/Makefile.am
+++ b/test/Makefile.am
@ -725,6 +725,8 @@ static_data = \
 	data/valid-config-files/standard-session-dirs.conf \
 	data/valid-config-files-system/many-rules.conf \
 	data/valid-config-files-system/system.d/test.conf \
+	data/valid-messages/byteswap-fd-index.message-raw \
+	data/valid-messages/byteswap-fd-index.message-raw.hex \
 	data/valid-messages/minimal.message-raw \
 	data/valid-messages/minimal.message-raw.hex \
 	$(NULL)
--- a/test/data/valid-messages/byteswap-fd-index.message-raw
+++ b/test/data/valid-messages/byteswap-fd-index.message-raw
--- a/test/data/valid-messages/byteswap-fd-index.message-raw.hex
+++ b/test/data/valid-messages/byteswap-fd-index.message-raw.hex
@ -0,0 +1,43 @@
+# Copyright 2022 Evgeny Vereshchagin
+# Copyright 2022 Collabora Ltd.
+# SPDX-License-Identifier: MIT
+#
+# This is an annotated hex-dump of a message originally generated by a
+# fuzzer.
+#
+# To output as binary:
+# sed -e 's/#.*//' test/data/invalid-messages/endian.message-raw.hex |
+# xxd -p -r - test/data/invalid-messages/endian.message-raw
+#
+# This message is technically valid, but not practically useful: it
+# contains a "handle" for the 4163371528th out-of-band file descriptor,
+# which is not a practically useful thing to send, because it exceeds any
+# reasonable number of file descriptors to attach to a message.
+#
+# The message is also in big-endian encoding (the opposite of the encoding
+# used by all commonly-used CPU architectures in 2022), which until
+# recently would trigger a denial-of-service vulnerability in the dbus
+# message marshalling code.
+
+# Offset % 0x10:
+# 0001 0203 0405 0607 0809 0a0b 0c0d 0e0f
+
+  42                                       # big-endian
+    2d                                     # an undefined message type
+       31                                  # flags
+         01                                # major protocol version 1
+            0000 000c                      # message body is 0x0c = 12 bytes
+                      97bc 9023            # serial number 0x97bc9023
+                                0000 0008  # header is an array of 8 bytes of struct (yv)
+  08                                       # header field code 0x08 (signature)
+    01                                     # variant signature is 1 byte
+       6700                                # "g" \0
+            02                             # signature is 2 bytes
+              68 7600                      # "hv" \0
+                                           # begin message body, 12 bytes
+                      f828 0208            # out-of-band fd, index = 0xf8280208
+                                02         # variant signature is 2 bytes
+                                  61 7600  # "av" \0
+  0000 0000                                # array length is 0
+
+#sha1 f99a286aaaf84d9b97549f35f71042f4a2f37e78
--- a/test/message.c
+++ b/test/message.c
@ -514,6 +514,7 @@ add_oom_test (const gchar *name,

 static const char *valid_messages[] =
 {
+  "byteswap-fd-index",
  "minimal",
 };