manager: tighten incoming notification message checks

Let's not accept datagrams with embedded NUL bytes. Previously we'd simply ignore everything after the first NUL byte. But given that sending us that is pretty ugly let's instead complain and refuse. With this change we'll only accept messages that have exactly zero or one NUL bytes at the very end of the datagram.
author: Lennart Poettering <lennart@poettering.net> 2016-10-07 12:14:33 +0200
committer: Lennart Poettering <lennart@poettering.net> 2016-10-07 12:14:33 +0200
commit: 875ca88da576b4f7c412f6a5e1fc642ba3bd288a (patch)
tree: 96af1a8b2692bee96f7e48619cfb92826abd77fd /src
parent: 045a3d5989f7565dc496013a9e96d95d86a12cc8 (diff)
1 files changed, 8 insertions, 2 deletions
diff --git a/src/core/manager.c b/src/core/manager.c
index 66b8904e4e..34db276a7d 100644
--- a/src/core/manager.c
+++ b/src/core/manager.c
@@ -1766,8 +1766,14 @@ static int manager_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t
                 return 0;
         }
 
-        /* The message should be a string. Here we make sure it's NUL-terminated,
-         * but only the part until first NUL will be used anyway. */
+        /* As extra safety check, let's make sure the string we get doesn't contain embedded NUL bytes. We permit one
+         * trailing NUL byte in the message, but don't expect it. */
+        if (n > 1 && memchr(buf, 0, n-1)) {
+                log_warning("Received notify message with embedded NUL bytes. Ignoring.");
+                return 0;
+        }
+
+        /* Make sure it's NUL-terminated. */
         buf[n] = 0;
 
         /* Notify every unit that might be interested, but try
author	Lennart Poettering <lennart@poettering.net>	2016-10-07 12:14:33 +0200
committer	Lennart Poettering <lennart@poettering.net>	2016-10-07 12:14:33 +0200
commit	875ca88da576b4f7c412f6a5e1fc642ba3bd288a (patch)
tree	96af1a8b2692bee96f7e48619cfb92826abd77fd /src
parent	045a3d5989f7565dc496013a9e96d95d86a12cc8 (diff)