1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47
|
From: Simon McVittie <simon.mcvittie@collabora.co.uk>
Date: Thu, 9 Jun 2011 17:52:10 +0100
Subject: [PATCH] _dbus_header_byteswap: change the first byte of the message,
not just the struct member
This has been wrong approximately forever, for instance see:
http://lists.freedesktop.org/archives/dbus/2007-March/007357.html
This prevents a local DoS, in which users can disconnect a system service
from the system bus by sending a non-native-endian message to it.
CVE: CVE-2011-2200
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=38120
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=629938
Reviewed-by: Will Thompson <will.thompson@collabora.co.uk>
Origin: upstream, http://cgit.freedesktop.org/dbus/dbus/commit/?id=c3223ba6
Applied-upstream: 1.4.12, commit:c3223ba6c401ba81df1305851312a47c485e6cd7
Applied-upstream: 1.2.28, commit:6519a1f77c61d753d4c97efd6e15630eb275336e
---
dbus/dbus-marshal-header.c | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)
diff --git a/dbus/dbus-marshal-header.c b/dbus/dbus-marshal-header.c
index 3f31d7a..a6c9b80 100644
--- a/dbus/dbus-marshal-header.c
+++ b/dbus/dbus-marshal-header.c
@@ -1468,14 +1468,20 @@ void
_dbus_header_byteswap (DBusHeader *header,
int new_order)
{
+ unsigned char byte_order;
+
if (header->byte_order == new_order)
return;
+ byte_order = _dbus_string_get_byte (&header->data, BYTE_ORDER_OFFSET);
+ _dbus_assert (header->byte_order == byte_order);
+
_dbus_marshal_byteswap (&_dbus_header_signature_str,
0, header->byte_order,
new_order,
&header->data, 0);
+ _dbus_string_set_byte (&header->data, BYTE_ORDER_OFFSET, new_order);
header->byte_order = new_order;
}
|