1 /* -*- mode: C; c-file-style: "gnu" -*- */
2 /* dbus-marshal-validate.c Validation routines for marshaled data
4 * Copyright (C) 2005 Red Hat, Inc.
6 * Licensed under the Academic Free License version 2.1
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
24 #include "dbus-internals.h"
25 #include "dbus-marshal-validate.h"
26 #include "dbus-marshal-recursive.h"
27 #include "dbus-marshal-basic.h"
28 #include "dbus-signature.h"
29 #include "dbus-string.h"
32 * @addtogroup DBusMarshal
38 * Verifies that the range of type_str from type_pos to type_end is a
39 * valid signature. If this function returns #TRUE, it will be safe
40 * to iterate over the signature with a types-only #DBusTypeReader.
41 * The range passed in should NOT include the terminating
42 * nul/DBUS_TYPE_INVALID.
44 * @todo verify that dict entries have exactly two fields
46 * @todo require that dict entries are in an array
48 * @param type_str the string
49 * @param type_pos where the typecodes start
50 * @param len length of typecodes
51 * @returns #DBUS_VALID if valid, reason why invalid otherwise
54 _dbus_validate_signature_with_reason (const DBusString *type_str,
58 const unsigned char *p;
59 const unsigned char *end;
65 _dbus_assert (type_str != NULL);
66 _dbus_assert (type_pos < _DBUS_INT32_MAX - len);
67 _dbus_assert (len >= 0);
68 _dbus_assert (type_pos >= 0);
70 if (len > DBUS_MAXIMUM_SIGNATURE_LENGTH)
71 return DBUS_INVALID_SIGNATURE_TOO_LONG;
73 p = _dbus_string_get_const_data_len (type_str, type_pos, 0);
74 end = _dbus_string_get_const_data_len (type_str, type_pos + len, 0);
78 last = DBUS_TYPE_INVALID;
85 case DBUS_TYPE_BOOLEAN:
87 case DBUS_TYPE_UINT16:
89 case DBUS_TYPE_UINT32:
91 case DBUS_TYPE_UINT64:
92 case DBUS_TYPE_DOUBLE:
93 case DBUS_TYPE_STRING:
94 case DBUS_TYPE_OBJECT_PATH:
95 case DBUS_TYPE_SIGNATURE:
96 case DBUS_TYPE_VARIANT:
101 if (array_depth > DBUS_MAXIMUM_TYPE_RECURSION_DEPTH)
102 return DBUS_INVALID_EXCEEDED_MAXIMUM_ARRAY_RECURSION;
105 case DBUS_STRUCT_BEGIN_CHAR:
108 if (struct_depth > DBUS_MAXIMUM_TYPE_RECURSION_DEPTH)
109 return DBUS_INVALID_EXCEEDED_MAXIMUM_STRUCT_RECURSION;
112 case DBUS_STRUCT_END_CHAR:
113 if (struct_depth == 0)
114 return DBUS_INVALID_STRUCT_ENDED_BUT_NOT_STARTED;
116 if (last == DBUS_STRUCT_BEGIN_CHAR)
117 return DBUS_INVALID_STRUCT_HAS_NO_FIELDS;
122 case DBUS_DICT_ENTRY_BEGIN_CHAR:
123 if (last != DBUS_TYPE_ARRAY)
124 return DBUS_INVALID_DICT_ENTRY_NOT_INSIDE_ARRAY;
126 dict_entry_depth += 1;
128 if (dict_entry_depth > DBUS_MAXIMUM_TYPE_RECURSION_DEPTH)
129 return DBUS_INVALID_EXCEEDED_MAXIMUM_DICT_ENTRY_RECURSION;
132 case DBUS_DICT_ENTRY_END_CHAR:
133 if (dict_entry_depth == 0)
134 return DBUS_INVALID_DICT_ENTRY_ENDED_BUT_NOT_STARTED;
136 if (last == DBUS_DICT_ENTRY_BEGIN_CHAR)
137 return DBUS_INVALID_DICT_ENTRY_HAS_NO_FIELDS;
139 dict_entry_depth -= 1;
142 case DBUS_TYPE_STRUCT: /* doesn't appear in signatures */
143 case DBUS_TYPE_DICT_ENTRY: /* ditto */
145 return DBUS_INVALID_UNKNOWN_TYPECODE;
150 if (*p == DBUS_TYPE_ARRAY)
152 else if (*p == DBUS_STRUCT_END_CHAR ||
153 *p == DBUS_DICT_ENTRY_END_CHAR)
154 return DBUS_INVALID_MISSING_ARRAY_ELEMENT_TYPE;
159 if (last == DBUS_DICT_ENTRY_BEGIN_CHAR &&
160 !dbus_type_is_basic (*p))
161 return DBUS_INVALID_DICT_KEY_MUST_BE_BASIC_TYPE;
168 return DBUS_INVALID_MISSING_ARRAY_ELEMENT_TYPE;
170 if (struct_depth > 0)
171 return DBUS_INVALID_STRUCT_STARTED_BUT_NOT_ENDED;
173 if (dict_entry_depth > 0)
174 return DBUS_INVALID_DICT_ENTRY_STARTED_BUT_NOT_ENDED;
176 _dbus_assert (last != DBUS_TYPE_ARRAY);
177 _dbus_assert (last != DBUS_STRUCT_BEGIN_CHAR);
178 _dbus_assert (last != DBUS_DICT_ENTRY_BEGIN_CHAR);
184 validate_body_helper (DBusTypeReader *reader,
186 dbus_bool_t walk_reader_to_end,
187 const unsigned char *p,
188 const unsigned char *end,
189 const unsigned char **new_p)
193 while ((current_type = _dbus_type_reader_get_current_type (reader)) != DBUS_TYPE_INVALID)
195 const unsigned char *a;
199 _dbus_verbose (" validating value of type %s type reader %p type_pos %d p %p end %p %d remain\n",
200 _dbus_type_to_string (current_type), reader, reader->type_pos, p, end,
204 /* Guarantee that p has one byte to look at */
206 return DBUS_INVALID_NOT_ENOUGH_DATA;
208 switch (current_type)
214 case DBUS_TYPE_BOOLEAN:
215 case DBUS_TYPE_INT16:
216 case DBUS_TYPE_UINT16:
217 case DBUS_TYPE_INT32:
218 case DBUS_TYPE_UINT32:
219 case DBUS_TYPE_INT64:
220 case DBUS_TYPE_UINT64:
221 case DBUS_TYPE_DOUBLE:
222 alignment = _dbus_type_get_alignment (current_type);
223 a = _DBUS_ALIGN_ADDRESS (p, alignment);
225 return DBUS_INVALID_NOT_ENOUGH_DATA;
229 return DBUS_INVALID_ALIGNMENT_PADDING_NOT_NUL;
233 if (current_type == DBUS_TYPE_BOOLEAN)
235 dbus_uint32_t v = _dbus_unpack_uint32 (byte_order,
237 if (!(v == 0 || v == 1))
238 return DBUS_INVALID_BOOLEAN_NOT_ZERO_OR_ONE;
244 case DBUS_TYPE_ARRAY:
245 case DBUS_TYPE_STRING:
246 case DBUS_TYPE_OBJECT_PATH:
248 dbus_uint32_t claimed_len;
250 a = _DBUS_ALIGN_ADDRESS (p, 4);
252 return DBUS_INVALID_NOT_ENOUGH_DATA;
256 return DBUS_INVALID_ALIGNMENT_PADDING_NOT_NUL;
260 claimed_len = _dbus_unpack_uint32 (byte_order, p);
263 /* p may now be == end */
264 _dbus_assert (p <= end);
266 if (current_type == DBUS_TYPE_ARRAY)
268 int array_elem_type = _dbus_type_reader_get_element_type (reader);
269 alignment = _dbus_type_get_alignment (array_elem_type);
270 p = _DBUS_ALIGN_ADDRESS (p, alignment);
273 if (claimed_len > (unsigned long) (end - p))
274 return DBUS_INVALID_LENGTH_OUT_OF_BOUNDS;
276 if (current_type == DBUS_TYPE_OBJECT_PATH)
279 _dbus_string_init_const_len (&str, p, claimed_len);
280 if (!_dbus_validate_path (&str, 0,
281 _dbus_string_get_length (&str)))
282 return DBUS_INVALID_BAD_PATH;
286 else if (current_type == DBUS_TYPE_STRING)
289 _dbus_string_init_const_len (&str, p, claimed_len);
290 if (!_dbus_string_validate_utf8 (&str, 0,
291 _dbus_string_get_length (&str)))
292 return DBUS_INVALID_BAD_UTF8_IN_STRING;
296 else if (current_type == DBUS_TYPE_ARRAY && claimed_len > 0)
299 DBusValidity validity;
300 const unsigned char *array_end;
302 if (claimed_len > DBUS_MAXIMUM_ARRAY_LENGTH)
303 return DBUS_INVALID_ARRAY_LENGTH_EXCEEDS_MAXIMUM;
305 /* Remember that the reader is types only, so we can't
306 * use it to iterate over elements. It stays the same
309 _dbus_type_reader_recurse (reader, &sub);
311 array_end = p + claimed_len;
313 while (p < array_end)
315 /* FIXME we are calling a function per array element! very bad
316 * need if (dbus_type_is_fixed(elem_type)) here to just skip
317 * big blocks of ints/bytes/etc.
320 validity = validate_body_helper (&sub, byte_order, FALSE, p, end, &p);
321 if (validity != DBUS_VALID)
326 return DBUS_INVALID_ARRAY_LENGTH_INCORRECT;
329 /* check nul termination */
330 if (current_type != DBUS_TYPE_ARRAY)
333 return DBUS_INVALID_NOT_ENOUGH_DATA;
336 return DBUS_INVALID_STRING_MISSING_NUL;
342 case DBUS_TYPE_SIGNATURE:
344 dbus_uint32_t claimed_len;
346 DBusValidity validity;
351 /* 1 is for nul termination */
352 if (claimed_len + 1 > (unsigned long) (end - p))
353 return DBUS_INVALID_SIGNATURE_LENGTH_OUT_OF_BOUNDS;
355 _dbus_string_init_const_len (&str, p, claimed_len);
357 _dbus_validate_signature_with_reason (&str, 0,
358 _dbus_string_get_length (&str));
360 if (validity != DBUS_VALID)
365 _dbus_assert (p < end);
366 if (*p != DBUS_TYPE_INVALID)
367 return DBUS_INVALID_SIGNATURE_MISSING_NUL;
371 _dbus_verbose ("p = %p end = %p claimed_len %u\n", p, end, claimed_len);
375 case DBUS_TYPE_VARIANT:
377 /* 1 byte sig len, sig typecodes, align to
378 * contained-type-boundary, values.
381 /* In addition to normal signature validation, we need to be sure
382 * the signature contains only a single (possibly container) type.
384 dbus_uint32_t claimed_len;
387 DBusValidity validity;
388 int contained_alignment;
395 if (claimed_len + 1 > (unsigned long) (end - p))
396 return DBUS_INVALID_VARIANT_SIGNATURE_LENGTH_OUT_OF_BOUNDS;
398 _dbus_string_init_const_len (&sig, p, claimed_len);
399 if (!_dbus_validate_signature (&sig, 0,
400 _dbus_string_get_length (&sig)))
401 return DBUS_INVALID_VARIANT_SIGNATURE_BAD;
405 if (*p != DBUS_TYPE_INVALID)
406 return DBUS_INVALID_VARIANT_SIGNATURE_MISSING_NUL;
409 contained_type = _dbus_first_type_in_signature (&sig, 0);
410 if (contained_type == DBUS_TYPE_INVALID)
411 return DBUS_INVALID_VARIANT_SIGNATURE_EMPTY;
413 contained_alignment = _dbus_type_get_alignment (contained_type);
415 a = _DBUS_ALIGN_ADDRESS (p, contained_alignment);
417 return DBUS_INVALID_NOT_ENOUGH_DATA;
421 return DBUS_INVALID_ALIGNMENT_PADDING_NOT_NUL;
425 _dbus_type_reader_init_types_only (&sub, &sig, 0);
427 _dbus_assert (_dbus_type_reader_get_current_type (&sub) != DBUS_TYPE_INVALID);
429 validity = validate_body_helper (&sub, byte_order, FALSE, p, end, &p);
430 if (validity != DBUS_VALID)
433 if (_dbus_type_reader_next (&sub))
434 return DBUS_INVALID_VARIANT_SIGNATURE_SPECIFIES_MULTIPLE_VALUES;
436 _dbus_assert (_dbus_type_reader_get_current_type (&sub) == DBUS_TYPE_INVALID);
440 case DBUS_TYPE_DICT_ENTRY:
441 case DBUS_TYPE_STRUCT:
444 DBusValidity validity;
446 a = _DBUS_ALIGN_ADDRESS (p, 8);
448 return DBUS_INVALID_NOT_ENOUGH_DATA;
452 return DBUS_INVALID_ALIGNMENT_PADDING_NOT_NUL;
456 _dbus_type_reader_recurse (reader, &sub);
458 validity = validate_body_helper (&sub, byte_order, TRUE, p, end, &p);
459 if (validity != DBUS_VALID)
465 _dbus_assert_not_reached ("invalid typecode in supposedly-validated signature");
470 _dbus_verbose (" validated value of type %s type reader %p type_pos %d p %p end %p %d remain\n",
471 _dbus_type_to_string (current_type), reader, reader->type_pos, p, end,
477 _dbus_verbose ("not enough data!!! p = %p end = %p end-p = %d\n",
478 p, end, (int) (end - p));
479 return DBUS_INVALID_NOT_ENOUGH_DATA;
482 if (walk_reader_to_end)
483 _dbus_type_reader_next (reader);
495 * Verifies that the range of value_str from value_pos to value_end is
496 * a legitimate value of type expected_signature. If this function
497 * returns #TRUE, it will be safe to iterate over the values with
498 * #DBusTypeReader. The signature is assumed to be already valid.
500 * If bytes_remaining is not #NULL, then leftover bytes will be stored
501 * there and #DBUS_VALID returned. If it is #NULL, then
502 * #DBUS_INVALID_TOO_MUCH_DATA will be returned if bytes are left
505 * @param expected_signature the expected types in the value_str
506 * @param expected_signature_start where in expected_signature is the signature
507 * @param byte_order the byte order
508 * @param bytes_remaining place to store leftover bytes
509 * @param value_str the string containing the body
510 * @param value_pos where the values start
511 * @param len length of values after value_pos
512 * @returns #DBUS_VALID if valid, reason why invalid otherwise
515 _dbus_validate_body_with_reason (const DBusString *expected_signature,
516 int expected_signature_start,
518 int *bytes_remaining,
519 const DBusString *value_str,
523 DBusTypeReader reader;
524 const unsigned char *p;
525 const unsigned char *end;
526 DBusValidity validity;
528 _dbus_assert (len >= 0);
529 _dbus_assert (value_pos >= 0);
530 _dbus_assert (value_pos <= _dbus_string_get_length (value_str) - len);
532 _dbus_verbose ("validating body from pos %d len %d sig '%s'\n",
533 value_pos, len, _dbus_string_get_const_data_len (expected_signature,
534 expected_signature_start,
537 _dbus_type_reader_init_types_only (&reader,
538 expected_signature, expected_signature_start);
540 p = _dbus_string_get_const_data_len (value_str, value_pos, len);
543 validity = validate_body_helper (&reader, byte_order, TRUE, p, end, &p);
544 if (validity != DBUS_VALID)
549 *bytes_remaining = end - p;
553 return DBUS_INVALID_TOO_MUCH_DATA;
556 _dbus_assert (p == end);
562 * Determine wether the given charater is valid as the first charater
565 #define VALID_INITIAL_NAME_CHARACTER(c) \
566 ( ((c) >= 'A' && (c) <= 'Z') || \
567 ((c) >= 'a' && (c) <= 'z') || \
571 * Determine wether the given charater is valid as a second or later
572 * character in a name
574 #define VALID_NAME_CHARACTER(c) \
575 ( ((c) >= '0' && (c) <= '9') || \
576 ((c) >= 'A' && (c) <= 'Z') || \
577 ((c) >= 'a' && (c) <= 'z') || \
581 * Checks that the given range of the string is a valid object path
582 * name in the D-BUS protocol. Part of the validation ensures that
583 * the object path contains only ASCII.
585 * @todo this is inconsistent with most of DBusString in that
586 * it allows a start,len range that extends past the string end.
588 * @todo change spec to disallow more things, such as spaces in the
591 * @param str the string
592 * @param start first byte index to check
593 * @param len number of bytes to check
594 * @returns #TRUE if the byte range exists and is a valid name
597 _dbus_validate_path (const DBusString *str,
601 const unsigned char *s;
602 const unsigned char *end;
603 const unsigned char *last_slash;
605 _dbus_assert (start >= 0);
606 _dbus_assert (len >= 0);
607 _dbus_assert (start <= _dbus_string_get_length (str));
609 if (len > _dbus_string_get_length (str) - start)
615 s = _dbus_string_get_const_data (str) + start;
627 if ((s - last_slash) < 2)
628 return FALSE; /* no empty path components allowed */
634 if (_DBUS_UNLIKELY (!VALID_NAME_CHARACTER (*s)))
641 if ((end - last_slash) < 2 &&
643 return FALSE; /* trailing slash not allowed unless the string is "/" */
649 * Checks that the given range of the string is a valid interface name
650 * in the D-BUS protocol. This includes a length restriction and an
651 * ASCII subset, see the specification.
653 * @todo this is inconsistent with most of DBusString in that
654 * it allows a start,len range that extends past the string end.
656 * @param str the string
657 * @param start first byte index to check
658 * @param len number of bytes to check
659 * @returns #TRUE if the byte range exists and is a valid name
662 _dbus_validate_interface (const DBusString *str,
666 const unsigned char *s;
667 const unsigned char *end;
668 const unsigned char *iface;
669 const unsigned char *last_dot;
671 _dbus_assert (start >= 0);
672 _dbus_assert (len >= 0);
673 _dbus_assert (start <= _dbus_string_get_length (str));
675 if (len > _dbus_string_get_length (str) - start)
678 if (len > DBUS_MAXIMUM_NAME_LENGTH)
685 iface = _dbus_string_get_const_data (str) + start;
689 /* check special cases of first char so it doesn't have to be done
690 * in the loop. Note we know len > 0
692 if (_DBUS_UNLIKELY (*s == '.')) /* disallow starting with a . */
694 else if (_DBUS_UNLIKELY (!VALID_INITIAL_NAME_CHARACTER (*s)))
703 if (_DBUS_UNLIKELY ((s + 1) == end))
705 else if (_DBUS_UNLIKELY (!VALID_INITIAL_NAME_CHARACTER (*(s + 1))))
708 ++s; /* we just validated the next char, so skip two */
710 else if (_DBUS_UNLIKELY (!VALID_NAME_CHARACTER (*s)))
718 if (_DBUS_UNLIKELY (last_dot == NULL))
725 * Checks that the given range of the string is a valid member name
726 * in the D-BUS protocol. This includes a length restriction, etc.,
727 * see the specification.
729 * @todo this is inconsistent with most of DBusString in that
730 * it allows a start,len range that extends past the string end.
732 * @param str the string
733 * @param start first byte index to check
734 * @param len number of bytes to check
735 * @returns #TRUE if the byte range exists and is a valid name
738 _dbus_validate_member (const DBusString *str,
742 const unsigned char *s;
743 const unsigned char *end;
744 const unsigned char *member;
746 _dbus_assert (start >= 0);
747 _dbus_assert (len >= 0);
748 _dbus_assert (start <= _dbus_string_get_length (str));
750 if (len > _dbus_string_get_length (str) - start)
753 if (len > DBUS_MAXIMUM_NAME_LENGTH)
759 member = _dbus_string_get_const_data (str) + start;
763 /* check special cases of first char so it doesn't have to be done
764 * in the loop. Note we know len > 0
767 if (_DBUS_UNLIKELY (!VALID_INITIAL_NAME_CHARACTER (*s)))
774 if (_DBUS_UNLIKELY (!VALID_NAME_CHARACTER (*s)))
786 * Checks that the given range of the string is a valid error name
787 * in the D-BUS protocol. This includes a length restriction, etc.,
788 * see the specification.
790 * @todo this is inconsistent with most of DBusString in that
791 * it allows a start,len range that extends past the string end.
793 * @param str the string
794 * @param start first byte index to check
795 * @param len number of bytes to check
796 * @returns #TRUE if the byte range exists and is a valid name
799 _dbus_validate_error_name (const DBusString *str,
803 /* Same restrictions as interface name at the moment */
804 return _dbus_validate_interface (str, start, len);
807 /* This assumes the first char exists and is ':' */
809 _dbus_validate_unique_name (const DBusString *str,
813 const unsigned char *s;
814 const unsigned char *end;
815 const unsigned char *name;
817 _dbus_assert (start >= 0);
818 _dbus_assert (len >= 0);
819 _dbus_assert (start <= _dbus_string_get_length (str));
821 if (len > _dbus_string_get_length (str) - start)
824 if (len > DBUS_MAXIMUM_NAME_LENGTH)
827 _dbus_assert (len > 0);
829 name = _dbus_string_get_const_data (str) + start;
831 _dbus_assert (*name == ':');
838 if (_DBUS_UNLIKELY ((s + 1) == end))
840 if (_DBUS_UNLIKELY (!VALID_NAME_CHARACTER (*(s + 1))))
842 ++s; /* we just validated the next char, so skip two */
844 else if (_DBUS_UNLIKELY (!VALID_NAME_CHARACTER (*s)))
856 * Checks that the given range of the string is a valid bus name in
857 * the D-BUS protocol. This includes a length restriction, etc., see
860 * @todo this is inconsistent with most of DBusString in that
861 * it allows a start,len range that extends past the string end.
863 * @param str the string
864 * @param start first byte index to check
865 * @param len number of bytes to check
866 * @returns #TRUE if the byte range exists and is a valid name
869 _dbus_validate_bus_name (const DBusString *str,
873 if (_DBUS_UNLIKELY (len == 0))
875 if (_dbus_string_get_byte (str, start) == ':')
876 return _dbus_validate_unique_name (str, start, len);
878 return _dbus_validate_interface (str, start, len);
882 * Checks that the given range of the string is a valid message type
883 * signature in the D-BUS protocol.
885 * @todo this is inconsistent with most of DBusString in that
886 * it allows a start,len range that extends past the string end.
888 * @param str the string
889 * @param start first byte index to check
890 * @param len number of bytes to check
891 * @returns #TRUE if the byte range exists and is a valid signature
894 _dbus_validate_signature (const DBusString *str,
898 _dbus_assert (start >= 0);
899 _dbus_assert (start <= _dbus_string_get_length (str));
900 _dbus_assert (len >= 0);
902 if (len > _dbus_string_get_length (str) - start)
905 return _dbus_validate_signature_with_reason (str, start, len) == DBUS_VALID;
908 /** define _dbus_check_is_valid_path() */
909 DEFINE_DBUS_NAME_CHECK(path);
910 /** define _dbus_check_is_valid_interface() */
911 DEFINE_DBUS_NAME_CHECK(interface);
912 /** define _dbus_check_is_valid_member() */
913 DEFINE_DBUS_NAME_CHECK(member);
914 /** define _dbus_check_is_valid_error_name() */
915 DEFINE_DBUS_NAME_CHECK(error_name);
916 /** define _dbus_check_is_valid_bus_name() */
917 DEFINE_DBUS_NAME_CHECK(bus_name);
918 /** define _dbus_check_is_valid_signature() */
919 DEFINE_DBUS_NAME_CHECK(signature);
923 /* tests in dbus-marshal-validate-util.c */