1 /* -*- mode: C; c-file-style: "gnu" -*- */
2 /* dbus-marshal-validate.c Validation routines for marshaled data
4 * Copyright (C) 2005 Red Hat, Inc.
6 * Licensed under the Academic Free License version 2.1
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
24 #include "dbus-internals.h"
25 #include "dbus-marshal-validate.h"
26 #include "dbus-marshal-recursive.h"
27 #include "dbus-marshal-basic.h"
28 #include "dbus-string.h"
31 * @addtogroup DBusMarshal
37 * Verifies that the range of type_str from type_pos to type_end is a
38 * valid signature. If this function returns #TRUE, it will be safe
39 * to iterate over the signature with a types-only #DBusTypeReader.
40 * The range passed in should NOT include the terminating
41 * nul/DBUS_TYPE_INVALID.
43 * @todo verify that dict entries have exactly two fields
45 * @todo require that dict entries are in an array
47 * @param type_str the string
48 * @param type_pos where the typecodes start
49 * @param len length of typecodes
50 * @returns #DBUS_VALID if valid, reason why invalid otherwise
53 _dbus_validate_signature_with_reason (const DBusString *type_str,
57 const unsigned char *p;
58 const unsigned char *end;
64 _dbus_assert (type_str != NULL);
65 _dbus_assert (type_pos < _DBUS_INT32_MAX - len);
66 _dbus_assert (len >= 0);
67 _dbus_assert (type_pos >= 0);
69 if (len > DBUS_MAXIMUM_SIGNATURE_LENGTH)
70 return DBUS_INVALID_SIGNATURE_TOO_LONG;
72 p = _dbus_string_get_const_data_len (type_str, type_pos, 0);
73 end = _dbus_string_get_const_data_len (type_str, type_pos + len, 0);
77 last = DBUS_TYPE_INVALID;
84 case DBUS_TYPE_BOOLEAN:
86 case DBUS_TYPE_UINT16:
88 case DBUS_TYPE_UINT32:
90 case DBUS_TYPE_UINT64:
91 case DBUS_TYPE_DOUBLE:
92 case DBUS_TYPE_STRING:
93 case DBUS_TYPE_OBJECT_PATH:
94 case DBUS_TYPE_SIGNATURE:
95 case DBUS_TYPE_VARIANT:
100 if (array_depth > DBUS_MAXIMUM_TYPE_RECURSION_DEPTH)
101 return DBUS_INVALID_EXCEEDED_MAXIMUM_ARRAY_RECURSION;
104 case DBUS_STRUCT_BEGIN_CHAR:
107 if (struct_depth > DBUS_MAXIMUM_TYPE_RECURSION_DEPTH)
108 return DBUS_INVALID_EXCEEDED_MAXIMUM_STRUCT_RECURSION;
111 case DBUS_STRUCT_END_CHAR:
112 if (struct_depth == 0)
113 return DBUS_INVALID_STRUCT_ENDED_BUT_NOT_STARTED;
115 if (last == DBUS_STRUCT_BEGIN_CHAR)
116 return DBUS_INVALID_STRUCT_HAS_NO_FIELDS;
121 case DBUS_DICT_ENTRY_BEGIN_CHAR:
122 if (last != DBUS_TYPE_ARRAY)
123 return DBUS_INVALID_DICT_ENTRY_NOT_INSIDE_ARRAY;
125 dict_entry_depth += 1;
127 if (dict_entry_depth > DBUS_MAXIMUM_TYPE_RECURSION_DEPTH)
128 return DBUS_INVALID_EXCEEDED_MAXIMUM_DICT_ENTRY_RECURSION;
131 case DBUS_DICT_ENTRY_END_CHAR:
132 if (dict_entry_depth == 0)
133 return DBUS_INVALID_DICT_ENTRY_ENDED_BUT_NOT_STARTED;
135 if (last == DBUS_DICT_ENTRY_BEGIN_CHAR)
136 return DBUS_INVALID_DICT_ENTRY_HAS_NO_FIELDS;
138 dict_entry_depth -= 1;
141 case DBUS_TYPE_STRUCT: /* doesn't appear in signatures */
142 case DBUS_TYPE_DICT_ENTRY: /* ditto */
144 return DBUS_INVALID_UNKNOWN_TYPECODE;
149 if (*p == DBUS_TYPE_ARRAY)
151 else if (*p == DBUS_STRUCT_END_CHAR ||
152 *p == DBUS_DICT_ENTRY_END_CHAR)
153 return DBUS_INVALID_MISSING_ARRAY_ELEMENT_TYPE;
163 return DBUS_INVALID_MISSING_ARRAY_ELEMENT_TYPE;
165 if (struct_depth > 0)
166 return DBUS_INVALID_STRUCT_STARTED_BUT_NOT_ENDED;
168 if (dict_entry_depth > 0)
169 return DBUS_INVALID_DICT_ENTRY_STARTED_BUT_NOT_ENDED;
171 _dbus_assert (last != DBUS_TYPE_ARRAY);
172 _dbus_assert (last != DBUS_STRUCT_BEGIN_CHAR);
173 _dbus_assert (last != DBUS_DICT_ENTRY_BEGIN_CHAR);
179 validate_body_helper (DBusTypeReader *reader,
181 dbus_bool_t walk_reader_to_end,
182 const unsigned char *p,
183 const unsigned char *end,
184 const unsigned char **new_p)
188 while ((current_type = _dbus_type_reader_get_current_type (reader)) != DBUS_TYPE_INVALID)
190 const unsigned char *a;
194 _dbus_verbose (" validating value of type %s type reader %p type_pos %d p %p end %p %d remain\n",
195 _dbus_type_to_string (current_type), reader, reader->type_pos, p, end,
199 /* Guarantee that p has one byte to look at */
201 return DBUS_INVALID_NOT_ENOUGH_DATA;
203 switch (current_type)
209 case DBUS_TYPE_BOOLEAN:
210 case DBUS_TYPE_INT16:
211 case DBUS_TYPE_UINT16:
212 case DBUS_TYPE_INT32:
213 case DBUS_TYPE_UINT32:
214 case DBUS_TYPE_INT64:
215 case DBUS_TYPE_UINT64:
216 case DBUS_TYPE_DOUBLE:
217 alignment = _dbus_type_get_alignment (current_type);
218 a = _DBUS_ALIGN_ADDRESS (p, alignment);
220 return DBUS_INVALID_NOT_ENOUGH_DATA;
224 return DBUS_INVALID_ALIGNMENT_PADDING_NOT_NUL;
228 if (current_type == DBUS_TYPE_BOOLEAN)
230 dbus_uint32_t v = _dbus_unpack_uint32 (byte_order,
232 if (!(v == 0 || v == 1))
233 return DBUS_INVALID_BOOLEAN_NOT_ZERO_OR_ONE;
239 case DBUS_TYPE_ARRAY:
240 case DBUS_TYPE_STRING:
241 case DBUS_TYPE_OBJECT_PATH:
243 dbus_uint32_t claimed_len;
245 a = _DBUS_ALIGN_ADDRESS (p, 4);
247 return DBUS_INVALID_NOT_ENOUGH_DATA;
251 return DBUS_INVALID_ALIGNMENT_PADDING_NOT_NUL;
255 claimed_len = _dbus_unpack_uint32 (byte_order, p);
258 /* p may now be == end */
259 _dbus_assert (p <= end);
261 if (current_type == DBUS_TYPE_ARRAY)
263 int array_elem_type = _dbus_type_reader_get_element_type (reader);
264 alignment = _dbus_type_get_alignment (array_elem_type);
265 p = _DBUS_ALIGN_ADDRESS (p, alignment);
268 if (claimed_len > (unsigned long) (end - p))
269 return DBUS_INVALID_LENGTH_OUT_OF_BOUNDS;
271 if (current_type == DBUS_TYPE_OBJECT_PATH)
274 _dbus_string_init_const_len (&str, p, claimed_len);
275 if (!_dbus_validate_path (&str, 0,
276 _dbus_string_get_length (&str)))
277 return DBUS_INVALID_BAD_PATH;
281 else if (current_type == DBUS_TYPE_STRING)
284 _dbus_string_init_const_len (&str, p, claimed_len);
285 if (!_dbus_string_validate_utf8 (&str, 0,
286 _dbus_string_get_length (&str)))
287 return DBUS_INVALID_BAD_UTF8_IN_STRING;
291 else if (current_type == DBUS_TYPE_ARRAY && claimed_len > 0)
294 DBusValidity validity;
295 const unsigned char *array_end;
297 if (claimed_len > DBUS_MAXIMUM_ARRAY_LENGTH)
298 return DBUS_INVALID_ARRAY_LENGTH_EXCEEDS_MAXIMUM;
300 /* Remember that the reader is types only, so we can't
301 * use it to iterate over elements. It stays the same
304 _dbus_type_reader_recurse (reader, &sub);
306 array_end = p + claimed_len;
308 while (p < array_end)
310 /* FIXME we are calling a function per array element! very bad
311 * need if (dbus_type_is_fixed(elem_type)) here to just skip
312 * big blocks of ints/bytes/etc.
315 validity = validate_body_helper (&sub, byte_order, FALSE, p, end, &p);
316 if (validity != DBUS_VALID)
321 return DBUS_INVALID_ARRAY_LENGTH_INCORRECT;
324 /* check nul termination */
325 if (current_type != DBUS_TYPE_ARRAY)
328 return DBUS_INVALID_NOT_ENOUGH_DATA;
331 return DBUS_INVALID_STRING_MISSING_NUL;
337 case DBUS_TYPE_SIGNATURE:
339 dbus_uint32_t claimed_len;
341 DBusValidity validity;
346 /* 1 is for nul termination */
347 if (claimed_len + 1 > (unsigned long) (end - p))
348 return DBUS_INVALID_SIGNATURE_LENGTH_OUT_OF_BOUNDS;
350 _dbus_string_init_const_len (&str, p, claimed_len);
352 _dbus_validate_signature_with_reason (&str, 0,
353 _dbus_string_get_length (&str));
355 if (validity != DBUS_VALID)
360 _dbus_assert (p < end);
361 if (*p != DBUS_TYPE_INVALID)
362 return DBUS_INVALID_SIGNATURE_MISSING_NUL;
366 _dbus_verbose ("p = %p end = %p claimed_len %u\n", p, end, claimed_len);
370 case DBUS_TYPE_VARIANT:
372 /* 1 byte sig len, sig typecodes, align to
373 * contained-type-boundary, values.
376 /* In addition to normal signature validation, we need to be sure
377 * the signature contains only a single (possibly container) type.
379 dbus_uint32_t claimed_len;
382 DBusValidity validity;
383 int contained_alignment;
390 if (claimed_len + 1 > (unsigned long) (end - p))
391 return DBUS_INVALID_VARIANT_SIGNATURE_LENGTH_OUT_OF_BOUNDS;
393 _dbus_string_init_const_len (&sig, p, claimed_len);
394 if (!_dbus_validate_signature (&sig, 0,
395 _dbus_string_get_length (&sig)))
396 return DBUS_INVALID_VARIANT_SIGNATURE_BAD;
400 if (*p != DBUS_TYPE_INVALID)
401 return DBUS_INVALID_VARIANT_SIGNATURE_MISSING_NUL;
404 contained_type = _dbus_first_type_in_signature (&sig, 0);
405 if (contained_type == DBUS_TYPE_INVALID)
406 return DBUS_INVALID_VARIANT_SIGNATURE_EMPTY;
408 contained_alignment = _dbus_type_get_alignment (contained_type);
410 a = _DBUS_ALIGN_ADDRESS (p, contained_alignment);
412 return DBUS_INVALID_NOT_ENOUGH_DATA;
416 return DBUS_INVALID_ALIGNMENT_PADDING_NOT_NUL;
420 _dbus_type_reader_init_types_only (&sub, &sig, 0);
422 _dbus_assert (_dbus_type_reader_get_current_type (&sub) != DBUS_TYPE_INVALID);
424 validity = validate_body_helper (&sub, byte_order, FALSE, p, end, &p);
425 if (validity != DBUS_VALID)
428 if (_dbus_type_reader_next (&sub))
429 return DBUS_INVALID_VARIANT_SIGNATURE_SPECIFIES_MULTIPLE_VALUES;
431 _dbus_assert (_dbus_type_reader_get_current_type (&sub) == DBUS_TYPE_INVALID);
435 case DBUS_TYPE_DICT_ENTRY:
436 case DBUS_TYPE_STRUCT:
439 DBusValidity validity;
441 a = _DBUS_ALIGN_ADDRESS (p, 8);
443 return DBUS_INVALID_NOT_ENOUGH_DATA;
447 return DBUS_INVALID_ALIGNMENT_PADDING_NOT_NUL;
451 _dbus_type_reader_recurse (reader, &sub);
453 validity = validate_body_helper (&sub, byte_order, TRUE, p, end, &p);
454 if (validity != DBUS_VALID)
460 _dbus_assert_not_reached ("invalid typecode in supposedly-validated signature");
465 _dbus_verbose (" validated value of type %s type reader %p type_pos %d p %p end %p %d remain\n",
466 _dbus_type_to_string (current_type), reader, reader->type_pos, p, end,
472 _dbus_verbose ("not enough data!!! p = %p end = %p end-p = %d\n",
473 p, end, (int) (end - p));
474 return DBUS_INVALID_NOT_ENOUGH_DATA;
477 if (walk_reader_to_end)
478 _dbus_type_reader_next (reader);
490 * Verifies that the range of value_str from value_pos to value_end is
491 * a legitimate value of type expected_signature. If this function
492 * returns #TRUE, it will be safe to iterate over the values with
493 * #DBusTypeReader. The signature is assumed to be already valid.
495 * If bytes_remaining is not #NULL, then leftover bytes will be stored
496 * there and #DBUS_VALID returned. If it is #NULL, then
497 * #DBUS_INVALID_TOO_MUCH_DATA will be returned if bytes are left
500 * @param expected_signature the expected types in the value_str
501 * @param expected_signature_start where in expected_signature is the signature
502 * @param byte_order the byte order
503 * @param bytes_remaining place to store leftover bytes
504 * @param value_str the string containing the body
505 * @param value_pos where the values start
506 * @param len length of values after value_pos
507 * @returns #DBUS_VALID if valid, reason why invalid otherwise
510 _dbus_validate_body_with_reason (const DBusString *expected_signature,
511 int expected_signature_start,
513 int *bytes_remaining,
514 const DBusString *value_str,
518 DBusTypeReader reader;
519 const unsigned char *p;
520 const unsigned char *end;
521 DBusValidity validity;
523 _dbus_assert (len >= 0);
524 _dbus_assert (value_pos >= 0);
525 _dbus_assert (value_pos <= _dbus_string_get_length (value_str) - len);
527 _dbus_verbose ("validating body from pos %d len %d sig '%s'\n",
528 value_pos, len, _dbus_string_get_const_data_len (expected_signature,
529 expected_signature_start,
532 _dbus_type_reader_init_types_only (&reader,
533 expected_signature, expected_signature_start);
535 p = _dbus_string_get_const_data_len (value_str, value_pos, len);
538 validity = validate_body_helper (&reader, byte_order, TRUE, p, end, &p);
539 if (validity != DBUS_VALID)
544 *bytes_remaining = end - p;
548 return DBUS_INVALID_TOO_MUCH_DATA;
551 _dbus_assert (p == end);
557 * Determine wether the given charater is valid as the first charater
560 #define VALID_INITIAL_NAME_CHARACTER(c) \
561 ( ((c) >= 'A' && (c) <= 'Z') || \
562 ((c) >= 'a' && (c) <= 'z') || \
566 * Determine wether the given charater is valid as a second or later
567 * character in a name
569 #define VALID_NAME_CHARACTER(c) \
570 ( ((c) >= '0' && (c) <= '9') || \
571 ((c) >= 'A' && (c) <= 'Z') || \
572 ((c) >= 'a' && (c) <= 'z') || \
576 * Checks that the given range of the string is a valid object path
577 * name in the D-BUS protocol. Part of the validation ensures that
578 * the object path contains only ASCII.
580 * @todo this is inconsistent with most of DBusString in that
581 * it allows a start,len range that extends past the string end.
583 * @todo change spec to disallow more things, such as spaces in the
586 * @param str the string
587 * @param start first byte index to check
588 * @param len number of bytes to check
589 * @returns #TRUE if the byte range exists and is a valid name
592 _dbus_validate_path (const DBusString *str,
596 const unsigned char *s;
597 const unsigned char *end;
598 const unsigned char *last_slash;
600 _dbus_assert (start >= 0);
601 _dbus_assert (len >= 0);
602 _dbus_assert (start <= _dbus_string_get_length (str));
604 if (len > _dbus_string_get_length (str) - start)
610 s = _dbus_string_get_const_data (str) + start;
622 if ((s - last_slash) < 2)
623 return FALSE; /* no empty path components allowed */
629 if (_DBUS_UNLIKELY (!VALID_NAME_CHARACTER (*s)))
636 if ((end - last_slash) < 2 &&
638 return FALSE; /* trailing slash not allowed unless the string is "/" */
644 * Checks that the given range of the string is a valid interface name
645 * in the D-BUS protocol. This includes a length restriction and an
646 * ASCII subset, see the specification.
648 * @todo this is inconsistent with most of DBusString in that
649 * it allows a start,len range that extends past the string end.
651 * @param str the string
652 * @param start first byte index to check
653 * @param len number of bytes to check
654 * @returns #TRUE if the byte range exists and is a valid name
657 _dbus_validate_interface (const DBusString *str,
661 const unsigned char *s;
662 const unsigned char *end;
663 const unsigned char *iface;
664 const unsigned char *last_dot;
666 _dbus_assert (start >= 0);
667 _dbus_assert (len >= 0);
668 _dbus_assert (start <= _dbus_string_get_length (str));
670 if (len > _dbus_string_get_length (str) - start)
673 if (len > DBUS_MAXIMUM_NAME_LENGTH)
680 iface = _dbus_string_get_const_data (str) + start;
684 /* check special cases of first char so it doesn't have to be done
685 * in the loop. Note we know len > 0
687 if (_DBUS_UNLIKELY (*s == '.')) /* disallow starting with a . */
689 else if (_DBUS_UNLIKELY (!VALID_INITIAL_NAME_CHARACTER (*s)))
698 if (_DBUS_UNLIKELY ((s + 1) == end))
700 else if (_DBUS_UNLIKELY (!VALID_INITIAL_NAME_CHARACTER (*(s + 1))))
703 ++s; /* we just validated the next char, so skip two */
705 else if (_DBUS_UNLIKELY (!VALID_NAME_CHARACTER (*s)))
713 if (_DBUS_UNLIKELY (last_dot == NULL))
720 * Checks that the given range of the string is a valid member name
721 * in the D-BUS protocol. This includes a length restriction, etc.,
722 * see the specification.
724 * @todo this is inconsistent with most of DBusString in that
725 * it allows a start,len range that extends past the string end.
727 * @param str the string
728 * @param start first byte index to check
729 * @param len number of bytes to check
730 * @returns #TRUE if the byte range exists and is a valid name
733 _dbus_validate_member (const DBusString *str,
737 const unsigned char *s;
738 const unsigned char *end;
739 const unsigned char *member;
741 _dbus_assert (start >= 0);
742 _dbus_assert (len >= 0);
743 _dbus_assert (start <= _dbus_string_get_length (str));
745 if (len > _dbus_string_get_length (str) - start)
748 if (len > DBUS_MAXIMUM_NAME_LENGTH)
754 member = _dbus_string_get_const_data (str) + start;
758 /* check special cases of first char so it doesn't have to be done
759 * in the loop. Note we know len > 0
762 if (_DBUS_UNLIKELY (!VALID_INITIAL_NAME_CHARACTER (*s)))
769 if (_DBUS_UNLIKELY (!VALID_NAME_CHARACTER (*s)))
781 * Checks that the given range of the string is a valid error name
782 * in the D-BUS protocol. This includes a length restriction, etc.,
783 * see the specification.
785 * @todo this is inconsistent with most of DBusString in that
786 * it allows a start,len range that extends past the string end.
788 * @param str the string
789 * @param start first byte index to check
790 * @param len number of bytes to check
791 * @returns #TRUE if the byte range exists and is a valid name
794 _dbus_validate_error_name (const DBusString *str,
798 /* Same restrictions as interface name at the moment */
799 return _dbus_validate_interface (str, start, len);
802 /* This assumes the first char exists and is ':' */
804 _dbus_validate_unique_name (const DBusString *str,
808 const unsigned char *s;
809 const unsigned char *end;
810 const unsigned char *name;
812 _dbus_assert (start >= 0);
813 _dbus_assert (len >= 0);
814 _dbus_assert (start <= _dbus_string_get_length (str));
816 if (len > _dbus_string_get_length (str) - start)
819 if (len > DBUS_MAXIMUM_NAME_LENGTH)
822 _dbus_assert (len > 0);
824 name = _dbus_string_get_const_data (str) + start;
826 _dbus_assert (*name == ':');
833 if (_DBUS_UNLIKELY ((s + 1) == end))
835 if (_DBUS_UNLIKELY (!VALID_NAME_CHARACTER (*(s + 1))))
837 ++s; /* we just validated the next char, so skip two */
839 else if (_DBUS_UNLIKELY (!VALID_NAME_CHARACTER (*s)))
851 * Checks that the given range of the string is a valid bus name in
852 * the D-BUS protocol. This includes a length restriction, etc., see
855 * @todo this is inconsistent with most of DBusString in that
856 * it allows a start,len range that extends past the string end.
858 * @param str the string
859 * @param start first byte index to check
860 * @param len number of bytes to check
861 * @returns #TRUE if the byte range exists and is a valid name
864 _dbus_validate_bus_name (const DBusString *str,
868 if (_DBUS_UNLIKELY (len == 0))
870 if (_dbus_string_get_byte (str, start) == ':')
871 return _dbus_validate_unique_name (str, start, len);
873 return _dbus_validate_interface (str, start, len);
877 * Checks that the given range of the string is a valid message type
878 * signature in the D-BUS protocol.
880 * @todo this is inconsistent with most of DBusString in that
881 * it allows a start,len range that extends past the string end.
883 * @param str the string
884 * @param start first byte index to check
885 * @param len number of bytes to check
886 * @returns #TRUE if the byte range exists and is a valid signature
889 _dbus_validate_signature (const DBusString *str,
893 _dbus_assert (start >= 0);
894 _dbus_assert (start <= _dbus_string_get_length (str));
895 _dbus_assert (len >= 0);
897 if (len > _dbus_string_get_length (str) - start)
900 return _dbus_validate_signature_with_reason (str, start, len) == DBUS_VALID;
903 /** define _dbus_check_is_valid_path() */
904 DEFINE_DBUS_NAME_CHECK(path);
905 /** define _dbus_check_is_valid_interface() */
906 DEFINE_DBUS_NAME_CHECK(interface);
907 /** define _dbus_check_is_valid_member() */
908 DEFINE_DBUS_NAME_CHECK(member);
909 /** define _dbus_check_is_valid_error_name() */
910 DEFINE_DBUS_NAME_CHECK(error_name);
911 /** define _dbus_check_is_valid_bus_name() */
912 DEFINE_DBUS_NAME_CHECK(bus_name);
913 /** define _dbus_check_is_valid_signature() */
914 DEFINE_DBUS_NAME_CHECK(signature);
918 /* tests in dbus-marshal-validate-util.c */