1 /* -*- mode: C; c-file-style: "gnu" -*- */
2 /* dbus-marshal-validate.c Validation routines for marshaled data
4 * Copyright (C) 2005 Red Hat, Inc.
6 * Licensed under the Academic Free License version 2.1
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
24 #include "dbus-internals.h"
25 #include "dbus-marshal-validate.h"
26 #include "dbus-marshal-recursive.h"
27 #include "dbus-marshal-basic.h"
28 #include "dbus-string.h"
31 * @addtogroup DBusMarshal
37 * Verifies that the range of type_str from type_pos to type_end is a
38 * valid signature. If this function returns #TRUE, it will be safe
39 * to iterate over the signature with a types-only #DBusTypeReader.
40 * The range passed in should NOT include the terminating
41 * nul/DBUS_TYPE_INVALID.
43 * @param type_str the string
44 * @param type_pos where the typecodes start
45 * @param len length of typecodes
46 * @returns #DBUS_VALID if valid, reason why invalid otherwise
49 _dbus_validate_signature_with_reason (const DBusString *type_str,
53 const unsigned char *p;
54 const unsigned char *end;
59 _dbus_assert (type_str != NULL);
60 _dbus_assert (type_pos < _DBUS_INT32_MAX - len);
61 _dbus_assert (len >= 0);
62 _dbus_assert (type_pos >= 0);
64 if (len > DBUS_MAXIMUM_SIGNATURE_LENGTH)
65 return DBUS_INVALID_SIGNATURE_TOO_LONG;
67 p = _dbus_string_get_const_data_len (type_str, type_pos, 0);
68 end = _dbus_string_get_const_data_len (type_str, type_pos + len, 0);
71 last = DBUS_TYPE_INVALID;
78 case DBUS_TYPE_BOOLEAN:
80 case DBUS_TYPE_UINT16:
82 case DBUS_TYPE_UINT32:
84 case DBUS_TYPE_UINT64:
85 case DBUS_TYPE_DOUBLE:
86 case DBUS_TYPE_STRING:
87 case DBUS_TYPE_OBJECT_PATH:
88 case DBUS_TYPE_SIGNATURE:
89 case DBUS_TYPE_VARIANT:
94 if (array_depth > DBUS_MAXIMUM_TYPE_RECURSION_DEPTH)
95 return DBUS_INVALID_EXCEEDED_MAXIMUM_ARRAY_RECURSION;
98 case DBUS_STRUCT_BEGIN_CHAR:
101 if (struct_depth > DBUS_MAXIMUM_TYPE_RECURSION_DEPTH)
102 return DBUS_INVALID_EXCEEDED_MAXIMUM_STRUCT_RECURSION;
105 case DBUS_STRUCT_END_CHAR:
106 if (struct_depth == 0)
107 return DBUS_INVALID_STRUCT_ENDED_BUT_NOT_STARTED;
109 if (last == DBUS_STRUCT_BEGIN_CHAR)
110 return DBUS_INVALID_STRUCT_HAS_NO_FIELDS;
115 case DBUS_TYPE_STRUCT: /* doesn't appear in signatures */
117 return DBUS_INVALID_UNKNOWN_TYPECODE;
120 if (*p != DBUS_TYPE_ARRAY)
128 return DBUS_INVALID_MISSING_ARRAY_ELEMENT_TYPE;
130 if (struct_depth > 0)
131 return DBUS_INVALID_STRUCT_STARTED_BUT_NOT_ENDED;
137 validate_body_helper (DBusTypeReader *reader,
139 dbus_bool_t walk_reader_to_end,
140 const unsigned char *p,
141 const unsigned char *end,
142 const unsigned char **new_p)
146 while ((current_type = _dbus_type_reader_get_current_type (reader)) != DBUS_TYPE_INVALID)
148 const unsigned char *a;
151 _dbus_verbose (" validating value of type %s type reader %p type_pos %d p %p end %p %d remain\n",
152 _dbus_type_to_string (current_type), reader, reader->type_pos, p, end,
155 /* Guarantee that p has one byte to look at */
157 return DBUS_INVALID_NOT_ENOUGH_DATA;
159 switch (current_type)
165 case DBUS_TYPE_BOOLEAN:
166 case DBUS_TYPE_INT16:
167 case DBUS_TYPE_UINT16:
168 case DBUS_TYPE_INT32:
169 case DBUS_TYPE_UINT32:
170 case DBUS_TYPE_INT64:
171 case DBUS_TYPE_UINT64:
172 case DBUS_TYPE_DOUBLE:
173 alignment = _dbus_type_get_alignment (current_type);
174 a = _DBUS_ALIGN_ADDRESS (p, alignment);
176 return DBUS_INVALID_NOT_ENOUGH_DATA;
180 return DBUS_INVALID_ALIGNMENT_PADDING_NOT_NUL;
184 if (current_type == DBUS_TYPE_BOOLEAN)
186 dbus_uint32_t v = _dbus_unpack_uint32 (byte_order,
188 if (!(v == 0 || v == 1))
189 return DBUS_INVALID_BOOLEAN_NOT_ZERO_OR_ONE;
195 case DBUS_TYPE_ARRAY:
196 case DBUS_TYPE_STRING:
197 case DBUS_TYPE_OBJECT_PATH:
199 dbus_uint32_t claimed_len;
201 a = _DBUS_ALIGN_ADDRESS (p, 4);
203 return DBUS_INVALID_NOT_ENOUGH_DATA;
207 return DBUS_INVALID_ALIGNMENT_PADDING_NOT_NUL;
211 claimed_len = _dbus_unpack_uint32 (byte_order, p);
214 /* p may now be == end */
215 _dbus_assert (p <= end);
217 if (current_type == DBUS_TYPE_ARRAY)
219 int array_elem_type = _dbus_type_reader_get_element_type (reader);
220 alignment = _dbus_type_get_alignment (array_elem_type);
221 p = _DBUS_ALIGN_ADDRESS (p, alignment);
224 if (claimed_len > (unsigned long) (end - p))
225 return DBUS_INVALID_STRING_LENGTH_OUT_OF_BOUNDS;
227 if (current_type == DBUS_TYPE_OBJECT_PATH)
230 _dbus_string_init_const_len (&str, p, claimed_len);
231 if (!_dbus_validate_path (&str, 0,
232 _dbus_string_get_length (&str)))
233 return DBUS_INVALID_BAD_PATH;
237 else if (current_type == DBUS_TYPE_STRING)
240 _dbus_string_init_const_len (&str, p, claimed_len);
241 if (!_dbus_string_validate_utf8 (&str, 0,
242 _dbus_string_get_length (&str)))
243 return DBUS_INVALID_BAD_UTF8_IN_STRING;
247 else if (current_type == DBUS_TYPE_ARRAY && claimed_len > 0)
250 DBusValidity validity;
251 const unsigned char *array_end;
253 /* Remember that the reader is types only, so we can't
254 * use it to iterate over elements. It stays the same
257 _dbus_type_reader_recurse (reader, &sub);
259 array_end = p + claimed_len;
261 while (p < array_end)
263 /* FIXME we are calling a function per array element! very bad
264 * need if (dbus_type_is_fixed(elem_type)) here to just skip
265 * big blocks of ints/bytes/etc.
268 validity = validate_body_helper (&sub, byte_order, FALSE, p, end, &p);
269 if (validity != DBUS_VALID)
274 return DBUS_INVALID_ARRAY_LENGTH_INCORRECT;
277 /* check nul termination */
278 if (current_type != DBUS_TYPE_ARRAY)
281 return DBUS_INVALID_NOT_ENOUGH_DATA;
284 return DBUS_INVALID_STRING_MISSING_NUL;
290 case DBUS_TYPE_SIGNATURE:
292 dbus_uint32_t claimed_len;
298 /* 1 is for nul termination */
299 if (claimed_len + 1 > (unsigned long) (end - p))
300 return DBUS_INVALID_SIGNATURE_LENGTH_OUT_OF_BOUNDS;
302 _dbus_string_init_const_len (&str, p, claimed_len);
303 if (!_dbus_validate_signature (&str, 0,
304 _dbus_string_get_length (&str)))
305 return DBUS_INVALID_BAD_SIGNATURE;
309 _dbus_assert (p < end);
310 if (*p != DBUS_TYPE_INVALID)
311 return DBUS_INVALID_SIGNATURE_MISSING_NUL;
315 _dbus_verbose ("p = %p end = %p claimed_len %u\n", p, end, claimed_len);
319 case DBUS_TYPE_VARIANT:
321 /* 1 byte sig len, sig typecodes, align to
322 * contained-type-boundary, values.
325 /* In addition to normal signature validation, we need to be sure
326 * the signature contains only a single (possibly container) type.
328 dbus_uint32_t claimed_len;
331 DBusValidity validity;
332 int contained_alignment;
338 if (claimed_len + 1 > (unsigned long) (end - p))
339 return DBUS_INVALID_VARIANT_SIGNATURE_LENGTH_OUT_OF_BOUNDS;
341 _dbus_string_init_const_len (&sig, p, claimed_len);
342 if (!_dbus_validate_signature (&sig, 0,
343 _dbus_string_get_length (&sig)))
344 return DBUS_INVALID_VARIANT_SIGNATURE_BAD;
348 if (*p != DBUS_TYPE_INVALID)
349 return DBUS_INVALID_VARIANT_SIGNATURE_MISSING_NUL;
352 contained_alignment = _dbus_type_get_alignment (_dbus_first_type_in_signature (&sig, 0));
354 a = _DBUS_ALIGN_ADDRESS (p, contained_alignment);
356 return DBUS_INVALID_NOT_ENOUGH_DATA;
360 return DBUS_INVALID_ALIGNMENT_PADDING_NOT_NUL;
364 _dbus_type_reader_init_types_only (&sub, &sig, 0);
366 if (_dbus_type_reader_get_current_type (&sub) == DBUS_TYPE_INVALID)
367 return DBUS_INVALID_VARIANT_SIGNATURE_EMPTY;
369 validity = validate_body_helper (&sub, byte_order, FALSE, p, end, &p);
370 if (validity != DBUS_VALID)
373 if (_dbus_type_reader_next (&sub))
374 return DBUS_INVALID_VARIANT_SIGNATURE_SPECIFIES_MULTIPLE_VALUES;
376 _dbus_assert (_dbus_type_reader_get_current_type (&sub) == DBUS_TYPE_INVALID);
380 case DBUS_TYPE_STRUCT:
383 DBusValidity validity;
385 a = _DBUS_ALIGN_ADDRESS (p, 8);
387 return DBUS_INVALID_NOT_ENOUGH_DATA;
391 return DBUS_INVALID_ALIGNMENT_PADDING_NOT_NUL;
395 _dbus_type_reader_recurse (reader, &sub);
397 validity = validate_body_helper (&sub, byte_order, TRUE, p, end, &p);
398 if (validity != DBUS_VALID)
404 _dbus_assert_not_reached ("invalid typecode in supposedly-validated signature");
408 _dbus_verbose (" validated value of type %s type reader %p type_pos %d p %p end %p %d remain\n",
409 _dbus_type_to_string (current_type), reader, reader->type_pos, p, end,
414 _dbus_verbose ("not enough data!!! p = %p end = %p end-p = %d\n",
415 p, end, (int) (end - p));
416 return DBUS_INVALID_NOT_ENOUGH_DATA;
419 if (walk_reader_to_end)
420 _dbus_type_reader_next (reader);
432 * Verifies that the range of value_str from value_pos to value_end is
433 * a legitimate value of type expected_signature. If this function
434 * returns #TRUE, it will be safe to iterate over the values with
435 * #DBusTypeReader. The signature is assumed to be already valid.
437 * If bytes_remaining is not #NULL, then leftover bytes will be stored
438 * there and #DBUS_VALID returned. If it is #NULL, then
439 * #DBUS_INVALID_TOO_MUCH_DATA will be returned if bytes are left
442 * @param expected_signature the expected types in the value_str
443 * @param expected_signature_start where in expected_signature is the signature
444 * @param byte_order the byte order
445 * @param bytes_remaining place to store leftover bytes
446 * @param value_str the string containing the body
447 * @param value_pos where the values start
448 * @param len length of values after value_pos
449 * @returns #DBUS_VALID if valid, reason why invalid otherwise
452 _dbus_validate_body_with_reason (const DBusString *expected_signature,
453 int expected_signature_start,
455 int *bytes_remaining,
456 const DBusString *value_str,
460 DBusTypeReader reader;
461 const unsigned char *p;
462 const unsigned char *end;
463 DBusValidity validity;
465 _dbus_assert (len >= 0);
466 _dbus_assert (value_pos >= 0);
467 _dbus_assert (value_pos <= _dbus_string_get_length (value_str) - len);
469 _dbus_verbose ("validating body from pos %d len %d sig '%s'\n",
470 value_pos, len, _dbus_string_get_const_data_len (expected_signature,
471 expected_signature_start,
474 _dbus_type_reader_init_types_only (&reader,
475 expected_signature, expected_signature_start);
477 p = _dbus_string_get_const_data_len (value_str, value_pos, len);
480 validity = validate_body_helper (&reader, byte_order, TRUE, p, end, &p);
481 if (validity != DBUS_VALID)
486 *bytes_remaining = end - p;
490 return DBUS_INVALID_TOO_MUCH_DATA;
493 _dbus_assert (p == end);
499 * Determine wether the given charater is valid as the first charater
502 #define VALID_INITIAL_NAME_CHARACTER(c) \
503 ( ((c) >= 'A' && (c) <= 'Z') || \
504 ((c) >= 'a' && (c) <= 'z') || \
508 * Determine wether the given charater is valid as a second or later
509 * character in a name
511 #define VALID_NAME_CHARACTER(c) \
512 ( ((c) >= '0' && (c) <= '9') || \
513 ((c) >= 'A' && (c) <= 'Z') || \
514 ((c) >= 'a' && (c) <= 'z') || \
518 * Checks that the given range of the string is a valid object path
519 * name in the D-BUS protocol. Part of the validation ensures that
520 * the object path contains only ASCII.
522 * @todo this is inconsistent with most of DBusString in that
523 * it allows a start,len range that extends past the string end.
525 * @todo change spec to disallow more things, such as spaces in the
528 * @param str the string
529 * @param start first byte index to check
530 * @param len number of bytes to check
531 * @returns #TRUE if the byte range exists and is a valid name
534 _dbus_validate_path (const DBusString *str,
538 const unsigned char *s;
539 const unsigned char *end;
540 const unsigned char *last_slash;
542 _dbus_assert (start >= 0);
543 _dbus_assert (len >= 0);
544 _dbus_assert (start <= _dbus_string_get_length (str));
546 if (len > _dbus_string_get_length (str) - start)
552 s = _dbus_string_get_const_data (str) + start;
564 if ((s - last_slash) < 2)
565 return FALSE; /* no empty path components allowed */
571 if (_DBUS_UNLIKELY (!VALID_NAME_CHARACTER (*s)))
578 if ((end - last_slash) < 2 &&
580 return FALSE; /* trailing slash not allowed unless the string is "/" */
586 * Checks that the given range of the string is a valid interface name
587 * in the D-BUS protocol. This includes a length restriction and an
588 * ASCII subset, see the specification.
590 * @todo this is inconsistent with most of DBusString in that
591 * it allows a start,len range that extends past the string end.
593 * @param str the string
594 * @param start first byte index to check
595 * @param len number of bytes to check
596 * @returns #TRUE if the byte range exists and is a valid name
599 _dbus_validate_interface (const DBusString *str,
603 const unsigned char *s;
604 const unsigned char *end;
605 const unsigned char *iface;
606 const unsigned char *last_dot;
608 _dbus_assert (start >= 0);
609 _dbus_assert (len >= 0);
610 _dbus_assert (start <= _dbus_string_get_length (str));
612 if (len > _dbus_string_get_length (str) - start)
615 if (len > DBUS_MAXIMUM_NAME_LENGTH)
622 iface = _dbus_string_get_const_data (str) + start;
626 /* check special cases of first char so it doesn't have to be done
627 * in the loop. Note we know len > 0
629 if (_DBUS_UNLIKELY (*s == '.')) /* disallow starting with a . */
631 else if (_DBUS_UNLIKELY (!VALID_INITIAL_NAME_CHARACTER (*s)))
640 if (_DBUS_UNLIKELY ((s + 1) == end))
642 else if (_DBUS_UNLIKELY (!VALID_INITIAL_NAME_CHARACTER (*(s + 1))))
645 ++s; /* we just validated the next char, so skip two */
647 else if (_DBUS_UNLIKELY (!VALID_NAME_CHARACTER (*s)))
655 if (_DBUS_UNLIKELY (last_dot == NULL))
662 * Checks that the given range of the string is a valid member name
663 * in the D-BUS protocol. This includes a length restriction, etc.,
664 * see the specification.
666 * @todo this is inconsistent with most of DBusString in that
667 * it allows a start,len range that extends past the string end.
669 * @param str the string
670 * @param start first byte index to check
671 * @param len number of bytes to check
672 * @returns #TRUE if the byte range exists and is a valid name
675 _dbus_validate_member (const DBusString *str,
679 const unsigned char *s;
680 const unsigned char *end;
681 const unsigned char *member;
683 _dbus_assert (start >= 0);
684 _dbus_assert (len >= 0);
685 _dbus_assert (start <= _dbus_string_get_length (str));
687 if (len > _dbus_string_get_length (str) - start)
690 if (len > DBUS_MAXIMUM_NAME_LENGTH)
696 member = _dbus_string_get_const_data (str) + start;
700 /* check special cases of first char so it doesn't have to be done
701 * in the loop. Note we know len > 0
704 if (_DBUS_UNLIKELY (!VALID_INITIAL_NAME_CHARACTER (*s)))
711 if (_DBUS_UNLIKELY (!VALID_NAME_CHARACTER (*s)))
723 * Checks that the given range of the string is a valid error name
724 * in the D-BUS protocol. This includes a length restriction, etc.,
725 * see the specification.
727 * @todo this is inconsistent with most of DBusString in that
728 * it allows a start,len range that extends past the string end.
730 * @param str the string
731 * @param start first byte index to check
732 * @param len number of bytes to check
733 * @returns #TRUE if the byte range exists and is a valid name
736 _dbus_validate_error_name (const DBusString *str,
740 /* Same restrictions as interface name at the moment */
741 return _dbus_validate_interface (str, start, len);
744 /* This assumes the first char exists and is ':' */
746 _dbus_validate_unique_name (const DBusString *str,
750 const unsigned char *s;
751 const unsigned char *end;
752 const unsigned char *name;
754 _dbus_assert (start >= 0);
755 _dbus_assert (len >= 0);
756 _dbus_assert (start <= _dbus_string_get_length (str));
758 if (len > _dbus_string_get_length (str) - start)
761 if (len > DBUS_MAXIMUM_NAME_LENGTH)
764 _dbus_assert (len > 0);
766 name = _dbus_string_get_const_data (str) + start;
768 _dbus_assert (*name == ':');
775 if (_DBUS_UNLIKELY ((s + 1) == end))
777 if (_DBUS_UNLIKELY (!VALID_NAME_CHARACTER (*(s + 1))))
779 ++s; /* we just validated the next char, so skip two */
781 else if (_DBUS_UNLIKELY (!VALID_NAME_CHARACTER (*s)))
793 * Checks that the given range of the string is a valid bus name in
794 * the D-BUS protocol. This includes a length restriction, etc., see
797 * @todo this is inconsistent with most of DBusString in that
798 * it allows a start,len range that extends past the string end.
800 * @param str the string
801 * @param start first byte index to check
802 * @param len number of bytes to check
803 * @returns #TRUE if the byte range exists and is a valid name
806 _dbus_validate_bus_name (const DBusString *str,
810 if (_DBUS_UNLIKELY (len == 0))
812 if (_dbus_string_get_byte (str, start) == ':')
813 return _dbus_validate_unique_name (str, start, len);
815 return _dbus_validate_interface (str, start, len);
819 * Checks that the given range of the string is a valid message type
820 * signature in the D-BUS protocol.
822 * @todo this is inconsistent with most of DBusString in that
823 * it allows a start,len range that extends past the string end.
825 * @param str the string
826 * @param start first byte index to check
827 * @param len number of bytes to check
828 * @returns #TRUE if the byte range exists and is a valid signature
831 _dbus_validate_signature (const DBusString *str,
835 _dbus_assert (start >= 0);
836 _dbus_assert (start <= _dbus_string_get_length (str));
837 _dbus_assert (len >= 0);
839 if (len > _dbus_string_get_length (str) - start)
842 return _dbus_validate_signature_with_reason (str, start, len) == DBUS_VALID;
845 /** define _dbus_check_is_valid_path() */
846 DEFINE_DBUS_NAME_CHECK(path);
847 /** define _dbus_check_is_valid_interface() */
848 DEFINE_DBUS_NAME_CHECK(interface);
849 /** define _dbus_check_is_valid_member() */
850 DEFINE_DBUS_NAME_CHECK(member);
851 /** define _dbus_check_is_valid_error_name() */
852 DEFINE_DBUS_NAME_CHECK(error_name);
853 /** define _dbus_check_is_valid_bus_name() */
854 DEFINE_DBUS_NAME_CHECK(bus_name);
855 /** define _dbus_check_is_valid_signature() */
856 DEFINE_DBUS_NAME_CHECK(signature);
860 /* tests in dbus-marshal-validate-util.c */