From 471d038fe38f7b99383f9654dcc8f6662d96e6f8 Mon Sep 17 00:00:00 2001
From: Aleksander Morgado <aleksander@aleksander.es>
Date: Tue, 7 Oct 2014 12:28:46 +0200
Subject: qmi-codegen: ensure enough buffer available to read string/array size
 variable

Code generation via emit_size_read() creates the _validate() functions.
The generated code for strings and arrays used to read the length prefix
without checking that the provided buffer is large enough.

https://bugzilla.redhat.com/show_bug.cgi?id=1031738

Patch based on a patch from Thomas Haller <thaller@redhat.com>

Reported-by: Florian Weimer <fweimer@redhat.com>
---
 src/libqmi-glib/test/test-message.c | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

(limited to 'src/libqmi-glib/test')

diff --git a/src/libqmi-glib/test/test-message.c b/src/libqmi-glib/test/test-message.c
index 86fed8a..f78b647 100644
--- a/src/libqmi-glib/test/test-message.c
+++ b/src/libqmi-glib/test/test-message.c
@@ -131,6 +131,33 @@ test_message_parse_wrong_tlv (void)
     test_message_parse_common (buffer, sizeof (buffer), 1);
     g_test_assert_expected_messages ();
 }
+
+static void
+test_message_parse_missing_size (void)
+{
+    /* PDS Event Report indication: NMEA position */
+    const guint8 buffer[] = {
+        0x01,       /* marker */
+        0x10, 0x00, /* qmux length */
+        0x80,       /* qmux flags */
+        0x06,       /* service: PDS */
+        0x03,       /* client */
+        0x04,       /* service flags: Indication */
+        0x01, 0x00, /* transaction */
+        0x01, 0x00, /* message: Event Report */
+        0x04, 0x00, /* all tlvs length: 4 bytes */
+        /* TLV */
+        0x11,       /* type: Extended NMEA Position (1 guint8 and one 16-bit-sized string) */
+        0x01, 0x00, /* length: 1 byte (WE ONLY GIVE THE GUINT8!!!) */
+        0x01
+    };
+
+    g_test_expect_message ("Qmi",
+                           G_LOG_LEVEL_WARNING,
+                           "Cannot read the string size: expected '*' bytes, but only got '*' bytes");
+    test_message_parse_common (buffer, sizeof (buffer), 1);
+    g_test_assert_expected_messages ();
+}
 #endif
 
 int main (int argc, char **argv)
@@ -144,6 +171,7 @@ int main (int argc, char **argv)
     g_test_add_func ("/libqmi-glib/message/parse/complete-and-complete", test_message_parse_complete_and_complete);
 #if GLIB_CHECK_VERSION (2,34,0)
     g_test_add_func ("/libqmi-glib/message/parse/wrong-tlv",             test_message_parse_wrong_tlv);
+    g_test_add_func ("/libqmi-glib/message/parse/missing-size",          test_message_parse_missing_size);
 #endif
 
     return g_test_run ();
-- 
cgit v1.1