summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2014-03-18 21:03:37 +0100
committerLennart Poettering <lennart@poettering.net>2014-03-18 21:03:37 +0100
commit2ce97e2b04c9f9ee51529488f3114693d5204ff1 (patch)
tree44338ae4290845bf550aa3b672b366f8c3cfaba5
parent3f9da416457c4265b8f1179516a32ad1a987ff7d (diff)
sd-bus: if we got a message with fds attached even though we didn't negotiate it, refuse to take it
This makes sure we don't mishandle if developers specificy a different AcceptFileDescriptors= setting in .busname units then they set for the bus connection in the activated program.
-rw-r--r--src/libsystemd/sd-bus/sd-bus.c72
1 files changed, 62 insertions, 10 deletions
diff --git a/src/libsystemd/sd-bus/sd-bus.c b/src/libsystemd/sd-bus/sd-bus.c
index 2794a4483f..6a1f459044 100644
--- a/src/libsystemd/sd-bus/sd-bus.c
+++ b/src/libsystemd/sd-bus/sd-bus.c
@@ -1885,12 +1885,17 @@ _public_ int sd_bus_call(
if (incoming->header->type == SD_BUS_MESSAGE_METHOD_RETURN) {
- if (reply)
- *reply = incoming;
- else
- sd_bus_message_unref(incoming);
+ if (incoming->n_fds <= 0 || (bus->hello_flags & KDBUS_HELLO_ACCEPT_FD)) {
+ if (reply)
+ *reply = incoming;
+ else
+ sd_bus_message_unref(incoming);
+
+ return 1;
+ }
+
+ r = sd_bus_error_setf(error, SD_BUS_ERROR_INCONSISTENT_MESSAGE, "Reply message contained file descriptors which I couldn't accept. Sorry.");
- return 1;
} else if (incoming->header->type == SD_BUS_MESSAGE_METHOD_ERROR)
r = sd_bus_error_copy(error, &incoming->error);
else
@@ -2108,8 +2113,9 @@ static int process_hello(sd_bus *bus, sd_bus_message *m) {
}
static int process_reply(sd_bus *bus, sd_bus_message *m) {
+ _cleanup_bus_message_unref_ sd_bus_message *synthetic_reply = NULL;
_cleanup_bus_error_free_ sd_bus_error error_buffer = SD_BUS_ERROR_NULL;
- struct reply_callback *c;
+ _cleanup_free_ struct reply_callback *c = NULL;
int r;
assert(bus);
@@ -2126,13 +2132,32 @@ static int process_reply(sd_bus *bus, sd_bus_message *m) {
if (c->timeout != 0)
prioq_remove(bus->reply_callbacks_prioq, c, &c->prioq_idx);
- r = sd_bus_message_rewind(m, true);
- if (r < 0)
- return r;
+ if (m->n_fds > 0 && !(bus->hello_flags & KDBUS_HELLO_ACCEPT_FD)) {
+
+ /* If the reply contained a file descriptor which we
+ * didn't want we pass an error instead. */
+
+ r = bus_message_new_synthetic_error(
+ bus,
+ m->reply_cookie,
+ &SD_BUS_ERROR_MAKE_CONST(SD_BUS_ERROR_INCONSISTENT_MESSAGE, "Reply message contained file descriptor"),
+ &synthetic_reply);
+ if (r < 0)
+ return r;
+
+ r = bus_seal_synthetic_message(bus, synthetic_reply);
+ if (r < 0)
+ return r;
+
+ m = synthetic_reply;
+ } else {
+ r = sd_bus_message_rewind(m, true);
+ if (r < 0)
+ return r;
+ }
r = c->callback(bus, m, c->userdata, &error_buffer);
r = bus_maybe_reply_error(m, r, &error_buffer);
- free(c);
return r;
}
@@ -2244,6 +2269,29 @@ static int process_builtin(sd_bus *bus, sd_bus_message *m) {
return 1;
}
+static int process_fd_check(sd_bus *bus, sd_bus_message *m) {
+ assert(bus);
+ assert(m);
+
+ /* If we got a message with a file descriptor which we didn't
+ * want to accept, then let's drop it. How can this even
+ * happen? For example, when the kernel queues a message into
+ * an activatable names's queue which allows fds, and then is
+ * delivered to us later even though we ourselves did not
+ * negotiate it. */
+
+ if (m->n_fds <= 0)
+ return 0;
+
+ if (bus->hello_flags & KDBUS_HELLO_ACCEPT_FD)
+ return 0;
+
+ if (m->header->type != SD_BUS_MESSAGE_METHOD_CALL)
+ return 1; /* just eat it up */
+
+ return sd_bus_reply_method_errorf(m, SD_BUS_ERROR_INCONSISTENT_MESSAGE, "Message contains file descriptors, which I cannot accept. Sorry.");
+}
+
static int process_message(sd_bus *bus, sd_bus_message *m) {
int r;
@@ -2272,6 +2320,10 @@ static int process_message(sd_bus *bus, sd_bus_message *m) {
if (r != 0)
goto finish;
+ r = process_fd_check(bus, m);
+ if (r != 0)
+ goto finish;
+
r = process_filter(bus, m);
if (r != 0)
goto finish;