All of lore.kernel.org
 help / color / mirror / Atom feed
From: James Prestwood <prestwoj@gmail.com>
To: ell@lists.01.org
Subject: [PATCH] dbus: explicitly handle messages with NULL interface
Date: Tue, 19 Jan 2021 15:26:46 -0800	[thread overview]
Message-ID: <20210119232646.430146-1-prestwoj@gmail.com> (raw)

[-- Attachment #1: Type: text/plain, Size: 2131 bytes --]

It was assumed that the DBus daemon would filter messages with
no interfaces set, but some daemons do not (dbus-broker). This
leads to the potential for a crash if the method call has no
interface set. A crash can be seen in IWD with a few lines of
python:

bus = dbus.SystemBus()
obj = bus.get_object("net.connman.iwd", "/")
print(obj.FooBar())

The above isn't necissarily a 'valid' way of doing things, but
it does result in a crash which traces back to ELL. The actual
method call (FooBar in this case) is arbitrary and could be
anything.

++++++++ backtrace ++++++++
0  0x7f532cda6a70 in /lib64/libc.so.6
1  0x47c4d2 in _dbus_object_tree_dispatch() at ell/dbus-service.c:1755
2  0x473f23 in message_read_handler() at ell/dbus.c:284
3  0x46be0c in io_callback() at ell/io.c:118
4  0x46b12d in l_main_iterate() at ell/main.c:471 (discriminator 2)
5  0x46b1dc in l_main_run() at ell/main.c:520
6  0x46b3ec in l_main_run_with_signal() at ell/main.c:648
7  0x403ea9 in main() at src/main.c:490
8  0x7f532cd91042 in /lib64/libc.so.6
+++++++++++++++++++++++++++

The DBus spec does mention the possibility of the interface field
being empty. It does not recommend doing this, but does not
explicitly forbid it. Handling of this case is left up to the
implementation.

The fix is simple: check that the message has an interface set and
if not return an error.
---
 ell/dbus-service.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/ell/dbus-service.c b/ell/dbus-service.c
index 4976b43..a7d6236 100644
--- a/ell/dbus-service.c
+++ b/ell/dbus-service.c
@@ -1749,6 +1749,16 @@ bool _dbus_object_tree_dispatch(struct _dbus_object_tree *tree,
 	member = l_dbus_message_get_member(message);
 	msg_sig = l_dbus_message_get_signature(message);
 
+	/*
+	 * Nothing in the spec explicitly forbids this, but handling of such
+	 * messages is left up to the implementation.
+	 *
+	 * TODO: Another route is to go looking for a matching method under this
+	 * object and call it.
+	 */
+	if (!interface)
+		return false;
+
 	if (!msg_sig)
 		msg_sig = "";
 
-- 
2.26.2

             reply	other threads:[~2021-01-19 23:26 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-01-19 23:26 James Prestwood [this message]
2021-01-20 17:16 ` [PATCH] dbus: explicitly handle messages with NULL interface Denis Kenzior

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210119232646.430146-1-prestwoj@gmail.com \
    --to=prestwoj@gmail.com \
    --cc=ell@lists.01.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.