From f0c8d7693ceaa749a55a84bf50eabee0022ae072 Mon Sep 17 00:00:00 2001
From: Simon McVittie <simon.mcvittie@collabora.co.uk>
Date: Tue, 9 Sep 2014 16:14:50 +0100
Subject: [PATCH 2/3] Add a test-case for a synthetic message with 255 fds

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=83622
---
 configure.ac  |   2 +-
 test/fdpass.c | 147 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 148 insertions(+), 1 deletion(-)

diff --git a/configure.ac b/configure.ac
index 1958586..5ab27bc 100644
--- a/configure.ac
+++ b/configure.ac
@@ -591,7 +591,7 @@ AC_DEFINE_UNQUOTED([DBUS_USE_SYNC], [$have_sync], [Use the gcc __sync extension]
 AC_SEARCH_LIBS(socket,[socket network])
 AC_CHECK_FUNC(gethostbyname,,[AC_CHECK_LIB(nsl,gethostbyname)])
 
-AC_CHECK_FUNCS(vsnprintf vasprintf nanosleep usleep setenv clearenv unsetenv socketpair getgrouplist fpathconf setrlimit poll setlocale localeconv strtoll strtoull issetugid getresuid)
+AC_CHECK_FUNCS([vsnprintf vasprintf nanosleep usleep setenv clearenv unsetenv socketpair getgrouplist fpathconf setrlimit poll setlocale localeconv strtoll strtoull issetugid getresuid getrlimit])
 
 AC_CHECK_HEADERS([syslog.h])
 if test "x$ac_cv_header_syslog_h" = "xyes"; then
diff --git a/test/fdpass.c b/test/fdpass.c
index 282de60..0df4be6 100644
--- a/test/fdpass.c
+++ b/test/fdpass.c
@@ -28,6 +28,7 @@
 #include <glib.h>
 
 #include <dbus/dbus.h>
+#include <dbus/dbus-internals.h>
 #include <dbus/dbus-sysdeps.h>
 
 #include <string.h>
@@ -35,7 +36,11 @@
 #ifdef G_OS_UNIX
 # include <errno.h>
 # include <fcntl.h>
+# ifdef HAVE_SYS_RESOURCE_H
+#   include <sys/resource.h>
+# endif
 # include <sys/stat.h>
+# include <sys/time.h>
 # include <sys/types.h>
 # include <unistd.h>
 #endif
@@ -44,6 +49,8 @@
 
 /* Arbitrary; included here to avoid relying on the default */
 #define MAX_MESSAGE_UNIX_FDS 20
+/* This test won't work on Linux unless this is true. */
+_DBUS_STATIC_ASSERT (MAX_MESSAGE_UNIX_FDS <= 253);
 
 /* Arbitrary; included here to avoid relying on the default. */
 #define MAX_INCOMING_UNIX_FDS (MAX_MESSAGE_UNIX_FDS * 4)
@@ -52,6 +59,10 @@
  * less than the process's file descriptor limit. */
 #define SOME_MESSAGES 50
 
+/* Linux won't allow more than 253 fds per sendmsg(). */
+#define TOO_MANY_FDS 255
+_DBUS_STATIC_ASSERT (MAX_MESSAGE_UNIX_FDS < TOO_MANY_FDS);
+
 /* As in test/relay.c, this is a miniature dbus-daemon: we relay messages
  * from the client on the left to the client on the right.
  *
@@ -453,6 +464,139 @@ test_too_many (Fixture *f,
 }
 
 static void
+test_too_many_split (Fixture *f,
+    gconstpointer data)
+{
+#ifdef HAVE_UNIX_FD_PASSING
+  DBusMessage *outgoing;
+  int i;
+  int left_client_socket;
+  char *payload;
+  int payload_len;
+  DBusString buffer;
+  int fds[TOO_MANY_FDS];
+  int done;
+
+  /* This test deliberately pushes up against OS limits, so skip it
+   * if we don't have enough fds. 4 times the maximum per message
+   * ought to be enough: that will cover the message, the dup'd fds
+   * we actually send, the copy that we potentially receive, and some
+   * spare capacity for everything else. */
+#ifdef HAVE_GETRLIMIT
+  struct rlimit lim;
+
+  if (getrlimit (RLIMIT_NOFILE, &lim) == 0)
+    {
+      if (lim.rlim_cur != RLIM_INFINITY &&
+          lim.rlim_cur < 4 * TOO_MANY_FDS)
+        {
+          g_test_skip ("not enough RLIMIT_NOFILE");
+          return;
+        }
+    }
+#endif
+
+  test_connect (f, data);
+
+  outgoing = dbus_message_new_signal ("/com/example/Hello",
+      "com.example.Hello", "Greeting");
+  g_assert (outgoing != NULL);
+
+  /* TOO_MANY_FDS fds are far too many: in particular, Linux doesn't allow
+   * sending this many in a single sendmsg(). libdbus never splits
+   * a message between two sendmsg() calls if it can help it, and
+   * in particular it always sends all the fds with the first sendmsg(),
+   * but malicious senders might not be so considerate. */
+  for (i = 0; i < TOO_MANY_FDS; i++)
+    {
+      if (!dbus_message_append_args (outgoing,
+            DBUS_TYPE_UNIX_FD, &f->fd_before,
+            DBUS_TYPE_INVALID))
+        oom ("appending fd");
+    }
+
+  /* This probably shouldn't work for messages with fds, but it does,
+   * which is convenient for this sort of trickery. */
+  if (!dbus_message_marshal (outgoing, &payload, &payload_len))
+    oom ("marshalling message");
+
+  _dbus_string_init_const_len (&buffer, payload, payload_len);
+
+  for (i = 0; i < TOO_MANY_FDS; i++)
+    {
+      fds[i] = dup (f->fd_before);
+
+      if (fds[i] < 0)
+        g_error ("could not dup fd: %s", g_strerror (errno));
+    }
+
+  /* This is blatant cheating, and the API documentation specifically
+   * tells you not use this function in this way. Never do this
+   * in application code. */
+  if (!dbus_connection_get_socket (f->left_client_conn, &left_client_socket))
+    g_error ("'unix:' DBusConnection should have had a socket");
+
+  /* Just to be sure that we're at a message boundary. */
+  dbus_connection_flush (f->left_client_conn);
+
+  /* We have too many fds for one sendmsg(), so send the first half
+   * (rounding down if odd) with the first byte... */
+  done = _dbus_write_socket_with_unix_fds (left_client_socket, &buffer, 0, 1,
+        &fds[0], TOO_MANY_FDS / 2);
+
+  if (done < 0)
+    g_error ("could not send first byte and first batch of fds: %s",
+        g_strerror (errno));
+
+  /* ... and the second half (rounding up if odd) with the rest of
+   * the message */
+  done = _dbus_write_socket_with_unix_fds (left_client_socket, &buffer, 1,
+        payload_len - 1, &fds[TOO_MANY_FDS / 2],
+        TOO_MANY_FDS - (TOO_MANY_FDS / 2));
+
+  if (done < 0)
+    {
+      g_error ("could not send rest of message and rest of fds: %s",
+          g_strerror (errno));
+    }
+  else if (done < payload_len - 1)
+    {
+      /* For simplicity, assume the socket buffer is big enough for the
+       * whole message, which should be < 2 KiB. If this fails on some
+       * OS, redo this test code to use a proper loop like the real
+       * libdbus does. */
+      g_error ("short write in sendmsg(), fix this test: %d/%d",
+          done, payload_len - 1);
+    }
+
+  dbus_free (payload);
+
+  for (i = 0; i < TOO_MANY_FDS; i++)
+    close (fds[i]);
+
+  dbus_message_unref (outgoing);
+
+  /* The sender is unceremoniously disconnected. */
+  while (dbus_connection_get_is_connected (f->left_client_conn) ||
+      dbus_connection_get_is_connected (f->left_server_conn))
+    {
+      g_print (".");
+      test_main_context_iterate (f->ctx, TRUE);
+    }
+
+  /* The message didn't get through without its fds. */
+  g_assert_cmpuint (g_queue_get_length (&f->messages), ==, 0);
+
+  /* The intended victim is unaffected by the left connection's
+   * misbehaviour. */
+  g_assert (dbus_connection_get_is_connected (f->right_client_conn));
+  g_assert (dbus_connection_get_is_connected (f->right_server_conn));
+#else
+  g_test_skip ("fd-passing not supported on this platform");
+#endif
+}
+
+static void
 test_flood (Fixture *f,
     gconstpointer data)
 {
@@ -675,6 +819,9 @@ main (int argc,
   g_test_add ("/too-many", Fixture, GUINT_TO_POINTER (17), setup,
       test_too_many, teardown);
 
+  g_test_add ("/too-many/split", Fixture, NULL, setup,
+      test_too_many_split, teardown);
+
   g_test_add ("/flood/1", Fixture, GUINT_TO_POINTER (1),
       setup, test_flood, teardown);
 #if MAX_MESSAGE_UNIX_FDS >= 2
-- 
2.1.0