qmi-codegen: ensure enough buffer available to read string/array size variable

Code generation via emit_size_read() creates the _validate() functions. The generated code for strings and arrays used to read the length prefix without checking that the provided buffer is large enough. https://bugzilla.redhat.com/show_bug.cgi?id=1031738 Patch based on a patch from Thomas Haller <thaller@redhat.com> Reported-by: Florian Weimer <fweimer@redhat.com>
author: Aleksander Morgado <aleksander@aleksander.es> 2014-10-07 12:28:46 +0200
committer: Aleksander Morgado <aleksander@aleksander.es> 2014-10-08 10:37:22 +0200
commit: 471d038fe38f7b99383f9654dcc8f6662d96e6f8 (patch)
tree: 0b605ec0c17afb1c469597689d52950d0aef53a8 /build-aux
parent: 0cf3aa3adf0a9940b1d37eb46f54d6af013ac5fe (diff)
download: external_libqmi-471d038fe38f7b99383f9654dcc8f6662d96e6f8.zip
external_libqmi-471d038fe38f7b99383f9654dcc8f6662d96e6f8.tar.gz
external_libqmi-471d038fe38f7b99383f9654dcc8f6662d96e6f8.tar.bz2
3 files changed, 28 insertions, 4 deletions
diff --git a/build-aux/qmi-codegen/Field.py b/build-aux/qmi-codegen/Field.py
index a3f3a61..ddbcfe1 100644
--- a/build-aux/qmi-codegen/Field.py
+++ b/build-aux/qmi-codegen/Field.py
@@ -339,7 +339,10 @@ class Field:
             '\n')
         f.write(string.Template(template).substitute(translations))
 
-        # Now, read the size of the expected TLV
+        # Now, read the size of the expected TLV.
+        #
+        # Note: the emit_size_read() implementation is allowed to return FALSE
+        # to indicate an error at any time.
         self.variable.emit_size_read(f, '    ', 'expected_len', 'buffer', 'buffer_len')
 
         template = (
diff --git a/build-aux/qmi-codegen/VariableArray.py b/build-aux/qmi-codegen/VariableArray.py
index c402da1..7f38202 100644
--- a/build-aux/qmi-codegen/VariableArray.py
+++ b/build-aux/qmi-codegen/VariableArray.py
@@ -251,7 +251,14 @@ class VariableArray(Variable):
             template = (
                 '${lp}    ${array_size_element_format} ${common_var_prefix}_n_items;\n'
                 '${lp}    const guint8 *${common_var_prefix}_aux_buffer = &${buffer_name}[${variable_name}];\n'
-                '${lp}    guint16 ${common_var_prefix}_aux_buffer_len = ${buffer_len} - ${variable_name};\n'
+                '${lp}    guint16 ${common_var_prefix}_aux_buffer_len;\n'
+                '\n'
+                '${lp}    ${common_var_prefix}_aux_buffer_len = ((${buffer_len} >= ${variable_name}) ? ${buffer_len} - ${variable_name} : 0);\n'
+                '${lp}    if (${common_var_prefix}_aux_buffer_len < ${array_size_element_size}) {\n'
+                '${lp}        g_warning ("Cannot read the array size: expected \'%u\' bytes, but only got \'%u\' bytes",\n'
+                '${lp}                   ${array_size_element_size}, ${common_var_prefix}_aux_buffer_len);\n'
+                '${lp}        return FALSE;\n'
+                '${lp}    }\n'
                 '\n'
                 '${lp}    ${variable_name} += ${array_size_element_size};\n')
 
diff --git a/build-aux/qmi-codegen/VariableString.py b/build-aux/qmi-codegen/VariableString.py
index faa2085..0ea3bd3 100644
--- a/build-aux/qmi-codegen/VariableString.py
+++ b/build-aux/qmi-codegen/VariableString.py
@@ -122,7 +122,14 @@ class VariableString(Variable):
                 '${lp}{\n'
                 '${lp}    guint8 size8;\n'
                 '${lp}    const guint8 *aux_buffer = &${buffer_name}[${variable_name}];\n'
-                '${lp}    guint16 aux_buffer_len = ${buffer_len} - ${variable_name};\n'
+                '${lp}    guint16 aux_buffer_len;\n'
+                '\n'
+                '${lp}    aux_buffer_len = ((${buffer_len} >= ${variable_name}) ? ${buffer_len} - ${variable_name} : 0);\n'
+                '${lp}    if (aux_buffer_len < 1) {\n'
+                '${lp}        g_warning ("Cannot read the string size: expected \'1\' bytes, but only got \'%u\' bytes",\n'
+                '${lp}                   aux_buffer_len);\n'
+                '${lp}        return FALSE;\n'
+                '${lp}    }\n'
                 '\n'
                 '${lp}    qmi_utils_read_guint8_from_buffer (&aux_buffer, &aux_buffer_len, &size8);\n'
                 '${lp}    ${variable_name} += (1 + size8);\n'
@@ -132,7 +139,14 @@ class VariableString(Variable):
                 '${lp}{\n'
                 '${lp}    guint16 size16;\n'
                 '${lp}    const guint8 *aux_buffer = &${buffer_name}[${variable_name}];\n'
-                '${lp}    guint16 aux_buffer_len = ${buffer_len} - ${variable_name};\n'
+                '${lp}    guint16 aux_buffer_len;\n'
+                '\n'
+                '${lp}    aux_buffer_len = ((${buffer_len} >= ${variable_name}) ? ${buffer_len} - ${variable_name} : 0);\n'
+                '${lp}    if (aux_buffer_len < 2) {\n'
+                '${lp}        g_warning ("Cannot read the string size: expected \'2\' bytes, but only got \'%u\' bytes",\n'
+                '${lp}                   aux_buffer_len);\n'
+                '${lp}        return FALSE;\n'
+                '${lp}    }\n'
                 '\n'
                 '${lp}    qmi_utils_read_guint16_from_buffer (&aux_buffer, &aux_buffer_len, QMI_ENDIAN_LITTLE, &size16);\n'
                 '${lp}    ${variable_name} += (2 + size16);\n'
author	Aleksander Morgado <aleksander@aleksander.es>	2014-10-07 12:28:46 +0200
committer	Aleksander Morgado <aleksander@aleksander.es>	2014-10-08 10:37:22 +0200
commit	471d038fe38f7b99383f9654dcc8f6662d96e6f8 (patch)
tree	0b605ec0c17afb1c469597689d52950d0aef53a8 /build-aux
parent	0cf3aa3adf0a9940b1d37eb46f54d6af013ac5fe (diff)
download	external_libqmi-471d038fe38f7b99383f9654dcc8f6662d96e6f8.zip external_libqmi-471d038fe38f7b99383f9654dcc8f6662d96e6f8.tar.gz external_libqmi-471d038fe38f7b99383f9654dcc8f6662d96e6f8.tar.bz2