Commit | Line | Data |
---|---|---|
9a46e0dd MB |
1 | Fix CVE-2020-12049: |
2 | ||
3 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12049 | |
4 | https://lists.freedesktop.org/archives/ftp-release/2020-June/000753.html | |
5 | ||
6 | Taken from upstream: | |
7 | ||
8 | https://gitlab.freedesktop.org/dbus/dbus/-/commit/272d484283883fa9ff95b69d924fff6cd34842f5 | |
9 | ||
10 | diff --git a/dbus/dbus-sysdeps-unix.c b/dbus/dbus-sysdeps-unix.c | |
11 | --- a/dbus/dbus-sysdeps-unix.c | |
12 | +++ b/dbus/dbus-sysdeps-unix.c | |
13 | @@ -435,18 +435,6 @@ _dbus_read_socket_with_unix_fds (DBusSocket fd, | |
14 | struct cmsghdr *cm; | |
15 | dbus_bool_t found = FALSE; | |
16 | ||
17 | - if (m.msg_flags & MSG_CTRUNC) | |
18 | - { | |
19 | - /* Hmm, apparently the control data was truncated. The bad | |
20 | - thing is that we might have completely lost a couple of fds | |
21 | - without chance to recover them. Hence let's treat this as a | |
22 | - serious error. */ | |
23 | - | |
24 | - errno = ENOSPC; | |
25 | - _dbus_string_set_length (buffer, start); | |
26 | - return -1; | |
27 | - } | |
28 | - | |
29 | for (cm = CMSG_FIRSTHDR(&m); cm; cm = CMSG_NXTHDR(&m, cm)) | |
30 | if (cm->cmsg_level == SOL_SOCKET && cm->cmsg_type == SCM_RIGHTS) | |
31 | { | |
32 | @@ -501,6 +489,26 @@ _dbus_read_socket_with_unix_fds (DBusSocket fd, | |
33 | if (!found) | |
34 | *n_fds = 0; | |
35 | ||
36 | + if (m.msg_flags & MSG_CTRUNC) | |
37 | + { | |
38 | + unsigned int i; | |
39 | + | |
40 | + /* Hmm, apparently the control data was truncated. The bad | |
41 | + thing is that we might have completely lost a couple of fds | |
42 | + without chance to recover them. Hence let's treat this as a | |
43 | + serious error. */ | |
44 | + | |
45 | + /* We still need to close whatever fds we *did* receive, | |
46 | + * otherwise they'll never get closed. (CVE-2020-12049) */ | |
47 | + for (i = 0; i < *n_fds; i++) | |
48 | + close (fds[i]); | |
49 | + | |
50 | + *n_fds = 0; | |
51 | + errno = ENOSPC; | |
52 | + _dbus_string_set_length (buffer, start); | |
53 | + return -1; | |
54 | + } | |
55 | + | |
56 | /* put length back (doesn't actually realloc) */ | |
57 | _dbus_string_set_length (buffer, start + bytes_read); | |
58 |