From f5e4724a3d7c5727ef5550ab95b3c47e290c1376 Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Sun, 4 Sep 2022 21:17:53 +0100 Subject: message: Fix assertion failure unpacking handle to an out-of-range fd In the D-Bus wire protocol, the representation of a Unix fd is a simple integer in the message body (referred to as the "handle" in GDBus) which acts as an index into the array of out-of-band fds attached to the message. The libdbus API (and therefore the dbus-python API) automatically translates handles into fds, but the GDBus API does not, making it possible for a GDBus sender to send a message containing handles that are out-of-range for the number of attached fds. The message bus also does not prevent such messages from being sent. dbus-python services need to cope with this and fail gracefully while unpacking the message, rather than crashing with an assertion failure in UnixFd_tp_new when the fd turns out to be invalid. Resolves: https://github.com/firewalld/firewalld/issues/985 Signed-off-by: Simon McVittie --- dbus_bindings/message-get-args.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/dbus_bindings/message-get-args.c b/dbus_bindings/message-get-args.c index 6dad272..628a616 100644 --- a/dbus_bindings/message-get-args.c +++ b/dbus_bindings/message-get-args.c @@ -307,7 +307,15 @@ _message_iter_get_pyobject(DBusMessageIter *iter, #ifdef DBUS_TYPE_UNIX_FD case DBUS_TYPE_UNIX_FD: DBG("%s", "found an unix fd"); + /* Note that this can return an invalid fd (less than 0) if the + * sender has included an index numerically greater than the + * number of fds that were attached out-of-band to the message. + * libdbus cannot send messages like this, but GDBus can. */ dbus_message_iter_get_basic(iter, &u.fd); + if (u.fd < 0) { + PyErr_Format(PyExc_ValueError, "invalid file descriptor in message"); + break; + } args = Py_BuildValue("(i)", u.fd); if (args) { ret = PyObject_Call((PyObject *)&DBusPyUnixFd_Type, args, -- cgit v1.2.3