}
retval = TEMP_FAILURE_RETRY(read(sockfd, &size, sizeof(size_t)));
- if(retval < (ssize_t)sizeof(size_t) || size == 0)
+ if(retval < (ssize_t)sizeof(size_t) || size == 0 || size > MESSAGE_MAX_LEN)
{
/* Error on socket */
SEC_SVR_ERR("read() failed: %d", retval);
memcpy(*object, buff + sizeof(int), object_size);
//get access_rights
- access_rights_size = datasize - sizeof(int) - object_size;
+ access_rights_size = datasize - object_size - sizeof(int);
*access_rights = (char *)malloc(access_rights_size);
memcpy(*access_rights, buff + sizeof(int) + object_size, access_rights_size);
#define SECURITY_SERVER_PASSWORD_RETRY_TIMEOUT_MICROSECOND 500000 /* = 500 milliseconds */
#define SECURITY_SERVER_MAX_PASSWORD_HISTORY 50
#define SECURITY_SERVER_NUM_THREADS 10
+#define MESSAGE_MAX_LEN 1048576
/* API prefix */
#ifndef SECURITY_SERVER_API
authorize_SS_API_caller_socket(client_sockfd, API_DATA_SHARE, API_RULE_REQUIRED);
if (client_has_access(client_sockfd, API_DATA_SHARE)) {
SEC_SVR_DBG("%s", "Server: app give access request received");
- process_app_get_access_request(client_sockfd,
- basic_hdr.msg_len - sizeof(basic_hdr));
+ if (basic_hdr.msg_len >= 0 && (size_t)basic_hdr.msg_len >= sizeof(basic_hdr)) {
+ process_app_get_access_request(client_sockfd,
+ basic_hdr.msg_len - sizeof(basic_hdr));
+ } else {
+ SEC_SVR_ERR("ERROR: Invalid message length: %d", basic_hdr.msg_len);
+ }
} else {
SEC_SVR_DBG("%s", "Server: app give access request received (API DENIED - request will not proceed)");
send_generic_response(client_sockfd,