diff options
author | Lukasz Skalski <l.skalski@samsung.com> | 2014-10-10 12:29:04 +0200 |
---|---|---|
committer | Daniel Mack <daniel@zonque.org> | 2014-10-10 12:44:31 +0200 |
commit | 82279e696605fe4eeadd1ca3744c76c8790f885b (patch) | |
tree | 8bf2421430314a31fe1b83f4419d7b501eec27f6 | |
parent | e737ef153c41435f1ad42b51233eedfb279e2ff7 (diff) |
kdbus: fix buffer overflow in bus_get_owner_kdbus() function
Commit 710fc9779b7c (kdbus repo) introduced attaching items[]
instead of name[] in kdbus_cmd_conn_info struct. Commit 581fe6c81
(systemd repo) caught up with this change, but item size was not
properly calculated.
-rw-r--r-- | src/libsystemd/sd-bus/bus-control.c | 11 |
1 files changed, 5 insertions, 6 deletions
diff --git a/src/libsystemd/sd-bus/bus-control.c b/src/libsystemd/sd-bus/bus-control.c index dbd94fc46b..7b106a3274 100644 --- a/src/libsystemd/sd-bus/bus-control.c +++ b/src/libsystemd/sd-bus/bus-control.c @@ -398,7 +398,7 @@ static int bus_get_owner_kdbus( struct kdbus_cmd_conn_info *cmd; struct kdbus_conn_info *conn_info; struct kdbus_item *item; - size_t size; + size_t size, l; uint64_t m, id; int r; @@ -410,13 +410,12 @@ static int bus_get_owner_kdbus( cmd = alloca0_align(size, 8); cmd->id = id; } else { - size_t item_size = KDBUS_ITEM_HEADER_SIZE + strlen(name) + 1; - - size = offsetof(struct kdbus_cmd_conn_info, items) + item_size; + l = strlen(name) + 1; + size = offsetof(struct kdbus_cmd_conn_info, items) + KDBUS_ITEM_SIZE(l); cmd = alloca0_align(size, 8); - cmd->items[0].size = item_size; + cmd->items[0].size = KDBUS_ITEM_HEADER_SIZE + l; cmd->items[0].type = KDBUS_ITEM_NAME; - strcpy(cmd->items[0].str, name); + memcpy(cmd->items[0].str, name, l); } cmd->size = size; |