diff options
author | Lennart Poettering <lennart@poettering.net> | 2014-03-18 21:03:37 +0100 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2014-03-18 21:03:37 +0100 |
commit | 2ce97e2b04c9f9ee51529488f3114693d5204ff1 (patch) | |
tree | 44338ae4290845bf550aa3b672b366f8c3cfaba5 | |
parent | 3f9da416457c4265b8f1179516a32ad1a987ff7d (diff) |
sd-bus: if we got a message with fds attached even though we didn't negotiate it, refuse to take it
This makes sure we don't mishandle if developers specificy a different
AcceptFileDescriptors= setting in .busname units then they set for the
bus connection in the activated program.
-rw-r--r-- | src/libsystemd/sd-bus/sd-bus.c | 72 |
1 files changed, 62 insertions, 10 deletions
diff --git a/src/libsystemd/sd-bus/sd-bus.c b/src/libsystemd/sd-bus/sd-bus.c index 2794a4483f..6a1f459044 100644 --- a/src/libsystemd/sd-bus/sd-bus.c +++ b/src/libsystemd/sd-bus/sd-bus.c @@ -1885,12 +1885,17 @@ _public_ int sd_bus_call( if (incoming->header->type == SD_BUS_MESSAGE_METHOD_RETURN) { - if (reply) - *reply = incoming; - else - sd_bus_message_unref(incoming); + if (incoming->n_fds <= 0 || (bus->hello_flags & KDBUS_HELLO_ACCEPT_FD)) { + if (reply) + *reply = incoming; + else + sd_bus_message_unref(incoming); + + return 1; + } + + r = sd_bus_error_setf(error, SD_BUS_ERROR_INCONSISTENT_MESSAGE, "Reply message contained file descriptors which I couldn't accept. Sorry."); - return 1; } else if (incoming->header->type == SD_BUS_MESSAGE_METHOD_ERROR) r = sd_bus_error_copy(error, &incoming->error); else @@ -2108,8 +2113,9 @@ static int process_hello(sd_bus *bus, sd_bus_message *m) { } static int process_reply(sd_bus *bus, sd_bus_message *m) { + _cleanup_bus_message_unref_ sd_bus_message *synthetic_reply = NULL; _cleanup_bus_error_free_ sd_bus_error error_buffer = SD_BUS_ERROR_NULL; - struct reply_callback *c; + _cleanup_free_ struct reply_callback *c = NULL; int r; assert(bus); @@ -2126,13 +2132,32 @@ static int process_reply(sd_bus *bus, sd_bus_message *m) { if (c->timeout != 0) prioq_remove(bus->reply_callbacks_prioq, c, &c->prioq_idx); - r = sd_bus_message_rewind(m, true); - if (r < 0) - return r; + if (m->n_fds > 0 && !(bus->hello_flags & KDBUS_HELLO_ACCEPT_FD)) { + + /* If the reply contained a file descriptor which we + * didn't want we pass an error instead. */ + + r = bus_message_new_synthetic_error( + bus, + m->reply_cookie, + &SD_BUS_ERROR_MAKE_CONST(SD_BUS_ERROR_INCONSISTENT_MESSAGE, "Reply message contained file descriptor"), + &synthetic_reply); + if (r < 0) + return r; + + r = bus_seal_synthetic_message(bus, synthetic_reply); + if (r < 0) + return r; + + m = synthetic_reply; + } else { + r = sd_bus_message_rewind(m, true); + if (r < 0) + return r; + } r = c->callback(bus, m, c->userdata, &error_buffer); r = bus_maybe_reply_error(m, r, &error_buffer); - free(c); return r; } @@ -2244,6 +2269,29 @@ static int process_builtin(sd_bus *bus, sd_bus_message *m) { return 1; } +static int process_fd_check(sd_bus *bus, sd_bus_message *m) { + assert(bus); + assert(m); + + /* If we got a message with a file descriptor which we didn't + * want to accept, then let's drop it. How can this even + * happen? For example, when the kernel queues a message into + * an activatable names's queue which allows fds, and then is + * delivered to us later even though we ourselves did not + * negotiate it. */ + + if (m->n_fds <= 0) + return 0; + + if (bus->hello_flags & KDBUS_HELLO_ACCEPT_FD) + return 0; + + if (m->header->type != SD_BUS_MESSAGE_METHOD_CALL) + return 1; /* just eat it up */ + + return sd_bus_reply_method_errorf(m, SD_BUS_ERROR_INCONSISTENT_MESSAGE, "Message contains file descriptors, which I cannot accept. Sorry."); +} + static int process_message(sd_bus *bus, sd_bus_message *m) { int r; @@ -2272,6 +2320,10 @@ static int process_message(sd_bus *bus, sd_bus_message *m) { if (r != 0) goto finish; + r = process_fd_check(bus, m); + if (r != 0) + goto finish; + r = process_filter(bus, m); if (r != 0) goto finish; |