diff options
author | Lennart Poettering <lennart@poettering.net> | 2016-10-07 12:14:33 +0200 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2016-10-07 12:14:33 +0200 |
commit | 875ca88da576b4f7c412f6a5e1fc642ba3bd288a (patch) | |
tree | 96af1a8b2692bee96f7e48619cfb92826abd77fd /src/core/manager.c | |
parent | 045a3d5989f7565dc496013a9e96d95d86a12cc8 (diff) |
manager: tighten incoming notification message checks
Let's not accept datagrams with embedded NUL bytes. Previously we'd simply
ignore everything after the first NUL byte. But given that sending us that is
pretty ugly let's instead complain and refuse.
With this change we'll only accept messages that have exactly zero or one NUL
bytes at the very end of the datagram.
Diffstat (limited to 'src/core/manager.c')
-rw-r--r-- | src/core/manager.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/src/core/manager.c b/src/core/manager.c index 66b8904e4e..34db276a7d 100644 --- a/src/core/manager.c +++ b/src/core/manager.c @@ -1766,8 +1766,14 @@ static int manager_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t return 0; } - /* The message should be a string. Here we make sure it's NUL-terminated, - * but only the part until first NUL will be used anyway. */ + /* As extra safety check, let's make sure the string we get doesn't contain embedded NUL bytes. We permit one + * trailing NUL byte in the message, but don't expect it. */ + if (n > 1 && memchr(buf, 0, n-1)) { + log_warning("Received notify message with embedded NUL bytes. Ignoring."); + return 0; + } + + /* Make sure it's NUL-terminated. */ buf[n] = 0; /* Notify every unit that might be interested, but try |