summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/libsystemd-bus/bus-internal.h2
-rw-r--r--src/libsystemd-bus/bus-message.c19
-rw-r--r--src/libsystemd-bus/sd-bus.h1
3 files changed, 21 insertions, 1 deletions
diff --git a/src/libsystemd-bus/bus-internal.h b/src/libsystemd-bus/bus-internal.h
index 3c2478e8fd..d0b7b5658d 100644
--- a/src/libsystemd-bus/bus-internal.h
+++ b/src/libsystemd-bus/bus-internal.h
@@ -118,6 +118,8 @@ static inline void bus_unrefp(sd_bus **b) {
#define BUS_MESSAGE_SIZE_MAX (64*1024*1024)
#define BUS_AUTH_SIZE_MAX (64*1024)
+#define BUS_CONTAINER_DEPTH 128
+
/* Defined by the specification as maximum size of an array in
* bytes */
#define BUS_ARRAY_MAX_SIZE 67108864
diff --git a/src/libsystemd-bus/bus-message.c b/src/libsystemd-bus/bus-message.c
index ec98de3132..74ea71ec0d 100644
--- a/src/libsystemd-bus/bus-message.c
+++ b/src/libsystemd-bus/bus-message.c
@@ -1741,6 +1741,25 @@ int sd_bus_message_enter_container(sd_bus_message *m, char type, const char *con
if (!contents)
return -EINVAL;
+ /*
+ * We enforce a global limit on container depth, that is much
+ * higher than the 32 structs and 32 arrays the specification
+ * mandates. This is simpler to implement for us, and we need
+ * this only to ensure our container array doesn't grow
+ * without bounds. We are happy to return any data from a
+ * message as long as the data itself is valid, even if the
+ * overall message might be not.
+ *
+ * Note that the message signature is validated when
+ * parsing the headers, and that validation does check the
+ * 32/32 limit.
+ *
+ * Note that the specification defines no limits on the depth
+ * of stacked variants, but we do.
+ */
+ if (m->n_containers >= BUS_CONTAINER_DEPTH)
+ return -EBADMSG;
+
w = realloc(m->containers, sizeof(struct bus_container) * (m->n_containers + 1));
if (!w)
return -ENOMEM;
diff --git a/src/libsystemd-bus/sd-bus.h b/src/libsystemd-bus/sd-bus.h
index adc7f8e2bd..8af1e85aae 100644
--- a/src/libsystemd-bus/sd-bus.h
+++ b/src/libsystemd-bus/sd-bus.h
@@ -32,7 +32,6 @@
* - make unix fd passing work
* - add page donation logic
* - api for appending/reading fixed arrays
- * - always verify container depth
* - merge busctl into systemctl or so?
* - add object handlers
* - implicitly add stub introspection calls