summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHwankyu Jhun <h.jhun@samsung.com>2018-09-07 11:18:37 +0900
committerHwankyu Jhun <h.jhun@samsung.com>2018-09-07 22:23:54 +0900
commitae5130ad865dedc122326b2e51d32ab6184445ca (patch)
tree9a92c66d10017688905136e43b4011dbf05f899a
parent5e6ffc4a1fec0edaa8fad66b29d6133fe63048b5 (diff)
downloadbundle-ae5130ad865dedc122326b2e51d32ab6184445ca.tar.gz
bundle-ae5130ad865dedc122326b2e51d32ab6184445ca.tar.bz2
bundle-ae5130ad865dedc122326b2e51d32ab6184445ca.zip
Fixed security issues
- Checks buffer size - Uses memcpy function Change-Id: I6c4541e4274627cfe21f6e70dd0cfbfaf8414367 Signed-off-by: Hwankyu Jhun <h.jhun@samsung.com>
-rw-r--r--src/bundle.c12
-rwxr-xr-xsrc/keyval.c24
-rwxr-xr-xsrc/keyval_array.c23
3 files changed, 31 insertions, 28 deletions
diff --git a/src/bundle.c b/src/bundle.c
index ac0725f..f5e6864 100644
--- a/src/bundle.c
+++ b/src/bundle.c
@@ -581,9 +581,9 @@ bundle *bundle_decode(const bundle_raw *r, const int data_size)
type = keyval_get_type_from_encoded_byte(p_r);
if (keyval_type_is_array(type)) {
bytes_read = keyval_array_decode(p_r,
- (keyval_array_t **)&kv, byte_size);
+ (keyval_array_t **)&kv, byte_size + 1);
} else {
- bytes_read = keyval_decode(p_r, &kv, byte_size);
+ bytes_read = keyval_decode(p_r, &kv, byte_size + 1);
}
if (kv)
@@ -729,9 +729,9 @@ bundle *bundle_decode_raw(const bundle_raw *r, const int data_size)
type = keyval_get_type_from_encoded_byte(p_r);
if (keyval_type_is_array(type)) {
bytes_read = keyval_array_decode(p_r,
- (keyval_array_t **)&kv, byte_size);
+ (keyval_array_t **)&kv, byte_size + 1);
} else {
- bytes_read = keyval_decode(p_r, &kv, byte_size);
+ bytes_read = keyval_decode(p_r, &kv, byte_size + 1);
}
if (kv)
@@ -885,11 +885,11 @@ bundle *bundle_import_from_argv(int argc, char **argv)
type = keyval_get_type_from_encoded_byte(byte);
if (keyval_type_is_array(type)) {
- if (keyval_array_decode(byte, &kva, byte_size) == 0) /* TODO: error! */
+ if (keyval_array_decode(byte, &kva, byte_size + 1) == 0) /* TODO: error! */
BUNDLE_EXCEPTION_PRINT("Unable to Decode array\n");
kv = (keyval_t *)kva;
} else {
- if (keyval_decode(byte, &kv, byte_size) == 0) /* TODO: error! */
+ if (keyval_decode(byte, &kv, byte_size + 1) == 0) /* TODO: error! */
BUNDLE_EXCEPTION_PRINT("Unable to Decode\n");
}
_bundle_append_kv(b, kv);
diff --git a/src/keyval.c b/src/keyval.c
index 279d469..6be41a2 100755
--- a/src/keyval.c
+++ b/src/keyval.c
@@ -247,52 +247,54 @@ size_t keyval_decode(unsigned char *byte, keyval_t **kv, size_t byte_size)
unsigned char *p = byte;
size_t encoded_size;
- byte_len = *((size_t *)p);
-
if (byte_size < sz_byte_len)
return 0;
+ memcpy(&byte_len, p, sz_byte_len);
+ if (byte_size < byte_len)
+ return 0;
+
byte_size -= sz_byte_len;
p += sz_byte_len;
- type = *((int *)p);
if (byte_size < sz_type)
return 0;
+ memcpy(&type, p, sz_type);
+
byte_size -= sz_type;
p += sz_type;
- keysize = *((size_t *)p);
if (byte_size < sz_keysize)
return 0;
+ memcpy(&keysize, p, sz_keysize);
+
byte_size -= sz_keysize;
p += sz_keysize;
- key = (char *)p;
if (byte_size < keysize)
return 0;
+ key = (char *)p;
if (!key || (strnlen(key, keysize) + 1) != keysize)
return 0;
byte_size -= keysize;
p += keysize;
- size = *((size_t *)p);
if (byte_size < sz_size)
return 0;
- byte_size -= sz_size;
- p += sz_size;
- val = (void *)p;
+ memcpy(&size, p, sz_size);
encoded_size = sz_byte_len + sz_type + sz_keysize + keysize +
sz_size + size;
if (encoded_size != byte_len)
return 0;
- p += size;
+ p += sz_size;
+ val = (void *)p;
if (kv)
*kv = keyval_new(*kv, key, type, val, size);
@@ -307,7 +309,7 @@ int keyval_get_type_from_encoded_byte(unsigned char *byte)
int type;
p += sz_byte_len;
- type = *((int *)p);
+ memcpy(&type, p, sizeof(int));
return type;
}
diff --git a/src/keyval_array.c b/src/keyval_array.c
index b30ed09..225b02a 100755
--- a/src/keyval_array.c
+++ b/src/keyval_array.c
@@ -367,53 +367,51 @@ size_t keyval_array_decode(void *byte, keyval_array_t **kva, size_t byte_size)
size_t sum_array_element_size = 0;
size_t encoded_size;
- /* Get data */
- byte_len = *((size_t *)p);
-
if (byte_size < sz_byte_len)
return 0;
+ memcpy(&byte_len, p, sz_byte_len);
+ if (byte_size < byte_len)
+ return 0;
+
byte_size -= sz_byte_len;
p += sz_byte_len;
- type = *((int *)p);
if (byte_size < sz_type)
return 0;
+ memcpy(&type, p, sz_type);
byte_size -= sz_type;
p += sz_type;
- keysize = *((size_t *)p);
if (byte_size < sz_keysize)
return 0;
+ memcpy(&keysize, p, sz_keysize);
byte_size -= sz_keysize;
p += sz_keysize;
- key = (char *)p;
if (byte_size < keysize)
return 0;
+ key = (char *)p;
if (!key || (strnlen(key, keysize) + 1) != keysize)
return 0;
byte_size -= keysize;
p += keysize;
- len = *((unsigned int *)p);
if (byte_size < sz_len)
return 0;
+ memcpy(&len, p, sz_len);
byte_size -= sz_len;
p += sz_len;
- array_element_size = (size_t *)p;
if (byte_size < (sizeof(size_t) * len))
return 0;
- p += sizeof(size_t) * len;
- array_val = (void *)p;
-
+ array_element_size = (size_t *)p;
for (i = 0; i < len; ++i) {
if ((sum_array_element_size + array_element_size[i]) < sum_array_element_size)
return 0;
@@ -426,6 +424,9 @@ size_t keyval_array_decode(void *byte, keyval_array_t **kva, size_t byte_size)
if (encoded_size != byte_len)
return 0;
+ p += sizeof(size_t) * len;
+ array_val = (void *)p;
+
*kva = keyval_array_new(NULL, key, type, NULL, len);
for (i = 0; i < len; i++) {
elem_size += i ? array_element_size[i - 1] : 0;