Re: Clarifications on the D-Bus specification

["Rémi Denis-Courmont" <remi () remlab net>]

Replying to self...

On Friday 10 December 2010, Rémi Denis-Courmont wrote:
> On Fri, 10 Dec 2010 20:52:40 +0100, Thiago Macieira <thiago () kde org> wrote:
> > The other thing is protection against an attack vector -- an exploit
> > by recursion. If the protection is by applying one of the limits,
> > then let's use it.
>
> The specification does not specify any limits on variant recursion, that I
> can find. So it's not a matter of applying a limit that was not applied
> this far. It's a first matter of adding a new limit to the protocol - if it
> is needed anyhow.

So in fact, the bus daemon does crash with a few tens of thousands of nested 
variants, at least on 386 (tested Debian D-Bus 1.2.24 and Ubuntu D-Bus 1.4.0):
http://www.remlab.net/op/dbus-variant-recursion.shtml

I already filed the issue as FreeDesktop bug #32321.

The issue might also affect other non-libdbus-based implementations but I have 
not tested any of those. It might also affect programs that parse 'any' message 
recursively such as dbus-send, but again I have not tested that.


I should note that I could not convince libdbus to write a deep enough 
message. At about two hundred nested containers, libdbus made the glibc heap 
checks abort - probably a separate bug. If run under valgrind then libdbuds 
'cleanly' failed to write a message with about 400 nested containers.

-- 
Rémi Denis-Courmont
http://www.remlab.net/