diff options
author | Hwankyu Jhun <h.jhun@samsung.com> | 2018-09-07 11:18:37 +0900 |
---|---|---|
committer | Hwankyu Jhun <h.jhun@samsung.com> | 2018-09-07 22:23:54 +0900 |
commit | ae5130ad865dedc122326b2e51d32ab6184445ca (patch) | |
tree | 9a92c66d10017688905136e43b4011dbf05f899a | |
parent | 5e6ffc4a1fec0edaa8fad66b29d6133fe63048b5 (diff) | |
download | bundle-ae5130ad865dedc122326b2e51d32ab6184445ca.tar.gz bundle-ae5130ad865dedc122326b2e51d32ab6184445ca.tar.bz2 bundle-ae5130ad865dedc122326b2e51d32ab6184445ca.zip |
Fixed security issues
- Checks buffer size
- Uses memcpy function
Change-Id: I6c4541e4274627cfe21f6e70dd0cfbfaf8414367
Signed-off-by: Hwankyu Jhun <h.jhun@samsung.com>
-rw-r--r-- | src/bundle.c | 12 | ||||
-rwxr-xr-x | src/keyval.c | 24 | ||||
-rwxr-xr-x | src/keyval_array.c | 23 |
3 files changed, 31 insertions, 28 deletions
diff --git a/src/bundle.c b/src/bundle.c index ac0725f..f5e6864 100644 --- a/src/bundle.c +++ b/src/bundle.c @@ -581,9 +581,9 @@ bundle *bundle_decode(const bundle_raw *r, const int data_size) type = keyval_get_type_from_encoded_byte(p_r); if (keyval_type_is_array(type)) { bytes_read = keyval_array_decode(p_r, - (keyval_array_t **)&kv, byte_size); + (keyval_array_t **)&kv, byte_size + 1); } else { - bytes_read = keyval_decode(p_r, &kv, byte_size); + bytes_read = keyval_decode(p_r, &kv, byte_size + 1); } if (kv) @@ -729,9 +729,9 @@ bundle *bundle_decode_raw(const bundle_raw *r, const int data_size) type = keyval_get_type_from_encoded_byte(p_r); if (keyval_type_is_array(type)) { bytes_read = keyval_array_decode(p_r, - (keyval_array_t **)&kv, byte_size); + (keyval_array_t **)&kv, byte_size + 1); } else { - bytes_read = keyval_decode(p_r, &kv, byte_size); + bytes_read = keyval_decode(p_r, &kv, byte_size + 1); } if (kv) @@ -885,11 +885,11 @@ bundle *bundle_import_from_argv(int argc, char **argv) type = keyval_get_type_from_encoded_byte(byte); if (keyval_type_is_array(type)) { - if (keyval_array_decode(byte, &kva, byte_size) == 0) /* TODO: error! */ + if (keyval_array_decode(byte, &kva, byte_size + 1) == 0) /* TODO: error! */ BUNDLE_EXCEPTION_PRINT("Unable to Decode array\n"); kv = (keyval_t *)kva; } else { - if (keyval_decode(byte, &kv, byte_size) == 0) /* TODO: error! */ + if (keyval_decode(byte, &kv, byte_size + 1) == 0) /* TODO: error! */ BUNDLE_EXCEPTION_PRINT("Unable to Decode\n"); } _bundle_append_kv(b, kv); diff --git a/src/keyval.c b/src/keyval.c index 279d469..6be41a2 100755 --- a/src/keyval.c +++ b/src/keyval.c @@ -247,52 +247,54 @@ size_t keyval_decode(unsigned char *byte, keyval_t **kv, size_t byte_size) unsigned char *p = byte; size_t encoded_size; - byte_len = *((size_t *)p); - if (byte_size < sz_byte_len) return 0; + memcpy(&byte_len, p, sz_byte_len); + if (byte_size < byte_len) + return 0; + byte_size -= sz_byte_len; p += sz_byte_len; - type = *((int *)p); if (byte_size < sz_type) return 0; + memcpy(&type, p, sz_type); + byte_size -= sz_type; p += sz_type; - keysize = *((size_t *)p); if (byte_size < sz_keysize) return 0; + memcpy(&keysize, p, sz_keysize); + byte_size -= sz_keysize; p += sz_keysize; - key = (char *)p; if (byte_size < keysize) return 0; + key = (char *)p; if (!key || (strnlen(key, keysize) + 1) != keysize) return 0; byte_size -= keysize; p += keysize; - size = *((size_t *)p); if (byte_size < sz_size) return 0; - byte_size -= sz_size; - p += sz_size; - val = (void *)p; + memcpy(&size, p, sz_size); encoded_size = sz_byte_len + sz_type + sz_keysize + keysize + sz_size + size; if (encoded_size != byte_len) return 0; - p += size; + p += sz_size; + val = (void *)p; if (kv) *kv = keyval_new(*kv, key, type, val, size); @@ -307,7 +309,7 @@ int keyval_get_type_from_encoded_byte(unsigned char *byte) int type; p += sz_byte_len; - type = *((int *)p); + memcpy(&type, p, sizeof(int)); return type; } diff --git a/src/keyval_array.c b/src/keyval_array.c index b30ed09..225b02a 100755 --- a/src/keyval_array.c +++ b/src/keyval_array.c @@ -367,53 +367,51 @@ size_t keyval_array_decode(void *byte, keyval_array_t **kva, size_t byte_size) size_t sum_array_element_size = 0; size_t encoded_size; - /* Get data */ - byte_len = *((size_t *)p); - if (byte_size < sz_byte_len) return 0; + memcpy(&byte_len, p, sz_byte_len); + if (byte_size < byte_len) + return 0; + byte_size -= sz_byte_len; p += sz_byte_len; - type = *((int *)p); if (byte_size < sz_type) return 0; + memcpy(&type, p, sz_type); byte_size -= sz_type; p += sz_type; - keysize = *((size_t *)p); if (byte_size < sz_keysize) return 0; + memcpy(&keysize, p, sz_keysize); byte_size -= sz_keysize; p += sz_keysize; - key = (char *)p; if (byte_size < keysize) return 0; + key = (char *)p; if (!key || (strnlen(key, keysize) + 1) != keysize) return 0; byte_size -= keysize; p += keysize; - len = *((unsigned int *)p); if (byte_size < sz_len) return 0; + memcpy(&len, p, sz_len); byte_size -= sz_len; p += sz_len; - array_element_size = (size_t *)p; if (byte_size < (sizeof(size_t) * len)) return 0; - p += sizeof(size_t) * len; - array_val = (void *)p; - + array_element_size = (size_t *)p; for (i = 0; i < len; ++i) { if ((sum_array_element_size + array_element_size[i]) < sum_array_element_size) return 0; @@ -426,6 +424,9 @@ size_t keyval_array_decode(void *byte, keyval_array_t **kva, size_t byte_size) if (encoded_size != byte_len) return 0; + p += sizeof(size_t) * len; + array_val = (void *)p; + *kva = keyval_array_new(NULL, key, type, NULL, len); for (i = 0; i < len; i++) { elem_size += i ? array_element_size[i - 1] : 0; |