From f971146873a0cf837e71958b99aaf9402333c45a Mon Sep 17 00:00:00 2001
From: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Date: Dec 15 2020 09:45:25 +0000
Subject: bus-message: do not crash on message with a string of zero length


We'd calculate the "real" length of the string as 'item_size - 1', which does
not work out well when item_size == 0.

(cherry picked from commit 81b6e63029eefcb0ec03a3a7c248490e38106073)

Resolves: #1635439

patch_name: 0025-bus-message-do-not-crash-on-message-with-a-string-of.patch
present_in_specfile: true
location_in_specfile: 25
squash_commits: true

---

diff --git a/src/libsystemd/sd-bus/bus-message.c b/src/libsystemd/sd-bus/bus-message.c
index 8d92bc2..381034f 100644
--- a/src/libsystemd/sd-bus/bus-message.c
+++ b/src/libsystemd/sd-bus/bus-message.c
@@ -3312,6 +3312,12 @@ _public_ int sd_bus_message_read_basic(sd_bus_message *m, char type, void *p) {
                 if (IN_SET(type, SD_BUS_TYPE_STRING, SD_BUS_TYPE_OBJECT_PATH, SD_BUS_TYPE_SIGNATURE)) {
                         bool ok;
 
+                        /* D-Bus spec: The marshalling formats for the string-like types all end
+                         * with a single zero (NUL) byte, but that byte is not considered to be part
+                         * of the text. */
+                        if (c->item_size == 0)
+                                return -EBADMSG;
+
                         r = message_peek_body(m, &rindex, 1, c->item_size, &q);
                         if (r < 0)
                                 return r;
diff --git a/test/fuzz/fuzz-bus-message/crash-29ed3c202e0ffade3cad42c8bbeb6cc68a21eb8e b/test/fuzz/fuzz-bus-message/crash-29ed3c202e0ffade3cad42c8bbeb6cc68a21eb8e
new file mode 100644
index 0000000..4488f0a
Binary files /dev/null and b/test/fuzz/fuzz-bus-message/crash-29ed3c202e0ffade3cad42c8bbeb6cc68a21eb8e differ