summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLukasz Skalski <l.skalski@samsung.com>2014-10-10 12:29:04 +0200
committerDaniel Mack <daniel@zonque.org>2014-10-10 12:44:31 +0200
commit82279e696605fe4eeadd1ca3744c76c8790f885b (patch)
tree8bf2421430314a31fe1b83f4419d7b501eec27f6
parente737ef153c41435f1ad42b51233eedfb279e2ff7 (diff)
kdbus: fix buffer overflow in bus_get_owner_kdbus() function
Commit 710fc9779b7c (kdbus repo) introduced attaching items[] instead of name[] in kdbus_cmd_conn_info struct. Commit 581fe6c81 (systemd repo) caught up with this change, but item size was not properly calculated.
-rw-r--r--src/libsystemd/sd-bus/bus-control.c11
1 files changed, 5 insertions, 6 deletions
diff --git a/src/libsystemd/sd-bus/bus-control.c b/src/libsystemd/sd-bus/bus-control.c
index dbd94fc46b..7b106a3274 100644
--- a/src/libsystemd/sd-bus/bus-control.c
+++ b/src/libsystemd/sd-bus/bus-control.c
@@ -398,7 +398,7 @@ static int bus_get_owner_kdbus(
struct kdbus_cmd_conn_info *cmd;
struct kdbus_conn_info *conn_info;
struct kdbus_item *item;
- size_t size;
+ size_t size, l;
uint64_t m, id;
int r;
@@ -410,13 +410,12 @@ static int bus_get_owner_kdbus(
cmd = alloca0_align(size, 8);
cmd->id = id;
} else {
- size_t item_size = KDBUS_ITEM_HEADER_SIZE + strlen(name) + 1;
-
- size = offsetof(struct kdbus_cmd_conn_info, items) + item_size;
+ l = strlen(name) + 1;
+ size = offsetof(struct kdbus_cmd_conn_info, items) + KDBUS_ITEM_SIZE(l);
cmd = alloca0_align(size, 8);
- cmd->items[0].size = item_size;
+ cmd->items[0].size = KDBUS_ITEM_HEADER_SIZE + l;
cmd->items[0].type = KDBUS_ITEM_NAME;
- strcpy(cmd->items[0].str, name);
+ memcpy(cmd->items[0].str, name, l);
}
cmd->size = size;