diff options
| author | jusung son <jusung07.son@samsung.com> | 2017-08-21 17:09:19 +0900 |
|---|---|---|
| committer | jusung son <jusung07.son@samsung.com> | 2017-08-21 08:21:59 +0000 |
| commit | 36a857d74d3a6830731ae29b6011b77bdcead38d (patch) | |
| tree | c29678ce1f3a00dbf1ef0f9e8efd7257a5964e2a | |
| parent | 70b758da4f6c3fb552ecece3cbb35aa4a51b3e98 (diff) | |
| download | data-control-36a857d74d3a6830731ae29b6011b77bdcead38d.tar.gz data-control-36a857d74d3a6830731ae29b6011b77bdcead38d.tar.bz2 data-control-36a857d74d3a6830731ae29b6011b77bdcead38d.zip | |
Fix tainted int
- boundary check
- strtol exception handling
Change-Id: Ife7ad3f3940f56c88e0f93b8179db4875c894d0b
Signed-off-by: jusung son <jusung07.son@samsung.com>
| -rwxr-xr-x | src/data_control_map.c | 3 | ||||
| -rwxr-xr-x | src/data_control_provider.c | 67 |
2 files changed, 50 insertions, 20 deletions
diff --git a/src/data_control_map.c b/src/data_control_map.c index 2d12cf8..76b020c 100755 --- a/src/data_control_map.c +++ b/src/data_control_map.c @@ -156,7 +156,8 @@ EXPORT_API int data_control_map_get_with_page(data_control_h provider, int reqId; if (provider == NULL || provider->provider_id == NULL || - provider->data_id == NULL || key == NULL) { + provider->data_id == NULL || + key == NULL || page_number < 1) { _LOGE("Invalid parameter"); return DATA_CONTROL_ERROR_INVALID_PARAMETER; } diff --git a/src/data_control_provider.c b/src/data_control_provider.c index 4e21c40..2368772 100755 --- a/src/data_control_provider.c +++ b/src/data_control_provider.c @@ -245,21 +245,24 @@ int __datacontrol_get_data_changed_filter_callback_id(void) return id; } -static int __get_int_from_str(const char *str) +static bool __get_int_from_str(const char *str, int *trans_value) { - int result = 0; + long result = 0; char *pend; errno = 0; result = strtol(str, &pend, 10); - if ((result == LONG_MIN || result == LONG_MAX) - && errno != 0) { - result = 0; + if (result < INT_MIN || result > INT_MAX || errno != 0) { + _LOGE("strtol failed :%s [%d]", str, errno); + return false; } - if (*pend != '\0') - result = 0; + if (*pend != '\0') { + _LOGE("strtol failed : %s, %s ", str, pend); + return false; + } + *trans_value = (int)result; - return result; + return true; } static bundle *__get_bundle_data_from_fd(int fd) @@ -1106,12 +1109,24 @@ static int __send_get_value_result(int fd, bundle *b, void *data) _LOGI("page num: %s, count_per_page: %s, value_count %s", page_num_str, count_per_page_str, value_count_str); - if (page_num_str) - page_number = __get_int_from_str(page_num_str); - if (count_per_page_str) - count_per_page = __get_int_from_str(count_per_page_str); - if (value_count_str) - value_count = __get_int_from_str(value_count_str); + if (!page_num_str || !count_per_page_str || !value_count_str) { + _LOGE("bundle was corrupted."); + return DATA_CONTROL_ERROR_IO_ERROR; + } + + if (!__get_int_from_str(page_num_str, &page_number)) + return DATA_CONTROL_ERROR_IO_ERROR; + + if (page_number < 1) { + _LOGE("bundle was corrupted. page_number[%d]", page_number); + return DATA_CONTROL_ERROR_IO_ERROR; + } + + if (!__get_int_from_str(count_per_page_str, &count_per_page)) + return DATA_CONTROL_ERROR_IO_ERROR; + + if (!__get_int_from_str(value_count_str, &value_count)) + return DATA_CONTROL_ERROR_IO_ERROR; current_offset = (page_number - 1) * count_per_page; remain_count = value_count - current_offset; @@ -1489,6 +1504,9 @@ int __provider_process(bundle *b, int fd, const char *consumer_appid) char *provider_id; char *caller_appid; bundle *value = NULL; + int i = 1; + int current = 0; + int column_count; const char *request_type = bundle_get_val(b, OSP_K_DATACONTROL_REQUEST_TYPE); @@ -1568,9 +1586,10 @@ int __provider_process(bundle *b, int fd, const char *consumer_appid) switch (type) { case DATACONTROL_TYPE_SQL_SELECT: { - int i = 1; - int current = 0; - int column_count = __get_int_from_str(arg_list[i++]); /* Column count */ + if (!__get_int_from_str(arg_list[i++], &column_count)) { /* Column count */ + _LOGE("Failed to convert column_count", column_count); + goto err; + } if (column_count <= 0 || column_count > MAX_COLUMN_COUNT) { _LOGE("Invalid column count %d", column_count); @@ -3054,6 +3073,7 @@ int datacontrol_provider_get_select_page_info( bundle *b; const char *page_num_str; const char *count_per_page_str; + int result; if (__request_table == NULL) { _LOGE("__request_table is NULL"); @@ -3072,8 +3092,17 @@ int datacontrol_provider_get_select_page_info( _LOGE("No page data for the request id: %d, ", request_id); return DATA_CONTROL_ERROR_INVALID_PARAMETER; } - *page_num = __get_int_from_str(page_num_str); - *count_per_page = __get_int_from_str(count_per_page_str); + if (!__get_int_from_str(page_num_str, &result)) { + _LOGE("Failed to convert page_num_str", page_num_str); + return DATA_CONTROL_ERROR_IO_ERROR; + } + *page_num = result; + + if (!__get_int_from_str(count_per_page_str, &result)) { + _LOGE("Failed to convert count_per_page_str", count_per_page_str); + return DATA_CONTROL_ERROR_IO_ERROR; + } + *count_per_page = result; return DATA_CONTROL_ERROR_NONE; } |