diff options
| author | Sami Rosendahl <ext-sami.1.rosendahl@nokia.com> | 2011-11-30 20:36:56 +0100 |
|---|---|---|
| committer | Oswald Buddenhagen <oswald.buddenhagen@nokia.com> | 2011-11-30 20:38:30 +0100 |
| commit | e20eaed5c1968e32eca97cf449fa588cfab35a5d (patch) | |
| tree | fae8b740521b9e5fb1c530d9c9a5215201a4ad80 /src/dbus | |
| parent | 27c322e0f88fa0cccba8cf914655cacb5dae51de (diff) | |
Fix stack overwrite in QDBusDemarshaller
QDBusArgument extraction operators and QDBusDemarshaller that implements
the extraction do not check the type of the extracted value.
Helper function template qIterGet in qdbusdemarshaller.cpp that is used
for extracting basic data types only reserves space from the stack for
the expected type as specified by client.
If the actual type in the DBus parameter is larger stack will be
overwritten in the helper function by at most 7 bytes (expected one byte,
received dbus_uint_64_t of size 8 bytes).
The fix always reserves space for the largest basic type dbus_uint64_t
readable by dbus_message_iter_get_basic API.
See also http://dbus.freedesktop.org/doc/api/html/group__DBusMessage.html#ga41c23a05e552d0574d0444d4693d18ab
PMO 280456
Task-number: QTBUG-22735
Merge-request: 1469
Reviewed-by: thiago
Diffstat (limited to 'src/dbus')
| -rw-r--r-- | src/dbus/qdbusdemarshaller.cpp | 24 |
1 files changed, 21 insertions, 3 deletions
diff --git a/src/dbus/qdbusdemarshaller.cpp b/src/dbus/qdbusdemarshaller.cpp index d9bb5b5ead..4103552db1 100644 --- a/src/dbus/qdbusdemarshaller.cpp +++ b/src/dbus/qdbusdemarshaller.cpp @@ -48,10 +48,28 @@ QT_BEGIN_NAMESPACE template <typename T> static inline T qIterGet(DBusMessageIter *it) { - T t; - q_dbus_message_iter_get_basic(it, &t); + // Use a union of expected and largest type q_dbus_message_iter_get_basic + // will return to ensure reading the wrong basic type does not result in + // stack overwrite + union { + // The value to be extracted + T t; + // Largest type that q_dbus_message_iter_get_basic will return + // according to dbus_message_iter_get_basic API documentation + dbus_uint64_t maxValue; + // A pointer to ensure no stack overwrite in case there is a platform + // where sizeof(void*) > sizeof(dbus_uint64_t) + void* ptr; + } value; + + // Initialize the value in case a narrower type is extracted to it. + // Note that the result of extracting a narrower type in place of a wider + // one and vice-versa will be platform-dependent. + value.t = T(); + + q_dbus_message_iter_get_basic(it, &value); q_dbus_message_iter_next(it); - return t; + return value.t; } QDBusDemarshaller::~QDBusDemarshaller() |