This is installed by default, but easy to filter out for embedded systems
or whatever.
Based on earlier work by Simon McVittie and Will Thompson
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=34140
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
In practice, the sort of applications that call dbus_shutdown()
(e.g. regression tests) will want to either use private connections,
or turn off exit-on-disconnect on the shared connection, or both.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=16924
In particular this makes them more MinGW-friendly: pkg-config on Windows
has specific code to rewrite the ${prefix} when installed in a
different prefix.
[add @datarootdir@, expand commit message -smcv]
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75858
The message type is more important than whether NO_REPLY_EXPECTED is
set, when deciding whether a reply is expected. This documents
existing practice in at least libdbus, GDBus and dbus-daemon.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75749
Reviewed-by: Thiago Macieira
The differences has been found out by comparing with the cross compiled
mingw..-dbus packages.
[exclude system bus support bits on Windows -smcv]
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=83583
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
On Unix, the thing that can be made close-on-exec is a file descriptor,
which is an int.
On Windows, the thing that can be made close-on-exec is a HANDLE,
which is pointer-sized (but not necessarily a pointer!). In practice,
on Windows we only called _dbus_fd_set_close_on_exec() on socket
pseudo-file-descriptors (SOCKET, which is an unsigned int);
every SOCKET can validly be cast to HANDLE, but not every HANDLE
is a SOCKET.
Before this commit we used an intptr_t as a sort of fake
union { int; HANDLE; }, which just obscures what's going on.
In practice, everything that called _dbus_fd_set_close_on_exec()
is really platform-specific anyway, so let's just have two separate
functions and call this solved.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=39610
This addresses CVE-2014-3635.
If (*n_fds * sizeof (int) % sizeof (size_t)) is nonzero,
then CMSG_SPACE (*n_fds * sizeof (int)) > CMSG_LEN (*n_fds * sizeof (int)
because the SPACE includes padding to a size_t boundary, whereas the LEN
does not. We have to allocate the SPACE. Previously, we told the kernel
that the buffer size we wanted was the SPACE, not the LEN, which meant
it was free to fill the padding with additional fds: on a 64-bit
platform with 32-bit int, that's one extra fd, if *n_fds happens
to be odd.
This meant that a malicious sender could send exactly 1 fd too many,
which would make us fail an assertion if enabled, or overrun a buffer
by 1 fd otherwise.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=83622
Reviewed-by: Alban Crequy <alban.crequy@collabora.co.uk>
This means we can use _DBUS_STATIC_ASSERT at non-global scope without
tripping -Wunused-local-typedefs.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=83767
Reviewed-by: Alban Crequy <alban.crequy@collabora.co.uk>
(cherry picked from commit 0e3d08d45c)
This is one of four commits needed to address CVE-2014-3637.
The bus uses _dbus_connection_set_pending_fds_function and
_dbus_connection_get_pending_fds_count to be notified when there are pending
file descriptors. A timeout per connection is armed and disarmed when the file
descriptor list is used and emptied.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80559
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
This is one of four commits needed to address CVE-2014-3637.
This will allow the bus to be notified whenever a file descriptor is added or
removed from a DBusConnection's DBusMessageLoader.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80559
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
This is one of four commits needed to address CVE-2014-3637.
This will allow the bus to know whether there are pending file descriptors in a
DBusConnection's DBusMessageLoader.
https://bugs.freedesktop.org/show_bug.cgi?id=80559
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
[fix compilation on platforms that do not HAVE_UNIX_FD_PASSING -smcv]
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
This is one of four commits needed to address CVE-2014-3637.
When a file descriptor is passed to dbus-daemon, the associated D-Bus message
might not be fully sent to dbus-daemon yet. Dbus-daemon keeps the file
descriptor in the DBusMessageLoader of the connection, waiting for the rest of
the message. If the client stops sending the remaining bytes, dbus-daemon will
wait forever and keep that file descriptor.
This patch adds pending_fd_timeout (milliseconds) in the configuration to
disconnect a connection after a timeout when a file descriptor was sent but not
the remaining message.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80559
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
This partially addresses CVE-2014-3639.
This will change the default on the system bus where the limit
<limit name="auth_timeout">...</limit>
is not specified.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80919
Reviewed-by: Thiago Macieira <thiago@kde.org>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
