portal: Avoid crash if sandbox-expose-[ro-]fd is out of range

If the handle is not in the range `0 <= handle < fds_len`, but no GError is set, we'd have crashed when we dereferenced error->message. Instead, log an error and early-return, matching what we do for app-fd, usr-fd and the array of inheritable fds. Fixes: 3c500145 "portal: Use --bind-fd, --app-fd and --usr-fd options to avoid races" Helps: https://github.com/flatpak/flatpak/issues/6584 Co-authored-by: Sebastian Wick <sebastian.wick@redhat.com> Signed-off-by: Simon McVittie <smcv@collabora.com>
2026-04-16 13:00:48 -04:00 · 2026-04-09 20:16:16 +01:00
parent 15dc818874
commit 4ef2421bd2
1 changed files with 22 additions and 4 deletions
--- a/portal/flatpak-portal.c
+++ b/portal/flatpak-portal.c
@@ -1283,8 +1283,17 @@ handle_spawn (PortalFlatpak         *object,
          gint32 handle;

          g_variant_get_child (sandbox_expose_fd, i, "h", &handle);
-          if (handle >= 0 && handle < fds_len &&
-              validate_opath_fd (fds[handle], TRUE, &error))
+          if (handle >= fds_len || handle < 0)
+            {
+              g_debug ("Invalid sandbox-expose-fd handle %d", handle);
+              g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR,
+                                                     G_DBUS_ERROR_INVALID_ARGS,
+                                                     "No file descriptor for handle %d",
+                                                     handle);
+              return G_DBUS_METHOD_INVOCATION_HANDLED;
+            }
+
+          if (validate_opath_fd (fds[handle], TRUE, &error))
            {
              g_array_append_val (expose_fds, fds[handle]);
            }
@@ -1309,8 +1318,17 @@ handle_spawn (PortalFlatpak         *object,
          gint32 handle;

          g_variant_get_child (sandbox_expose_fd_ro, i, "h", &handle);
-          if (handle >= 0 && handle < fds_len &&
-              validate_opath_fd (fds[handle], FALSE, &error))
+          if (handle >= fds_len || handle < 0)
+            {
+              g_debug ("Invalid sandbox-expose-ro-fd handle %d", handle);
+              g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR,
+                                                     G_DBUS_ERROR_INVALID_ARGS,
+                                                     "No file descriptor for handle %d",
+                                                     handle);
+              return G_DBUS_METHOD_INVOCATION_HANDLED;
+            }
+
+          if (validate_opath_fd (fds[handle], FALSE, &error))
            {
              g_array_append_val (expose_fds_ro, fds[handle]);
            }