Check event data length before memcpy()

author Seonah Moon <seonah1.moon@samsung.com>

Tue, 25 Aug 2020 06:44:03 +0000 (15:44 +0900)

committer Seonah Moon <seonah1.moon@samsung.com>

Tue, 25 Aug 2020 06:44:03 +0000 (15:44 +0900)
author Seonah Moon <seonah1.moon@samsung.com>
Tue, 25 Aug 2020 06:44:03 +0000 (15:44 +0900)
committer Seonah Moon <seonah1.moon@samsung.com>
Tue, 25 Aug 2020 06:44:03 +0000 (15:44 +0900)
diff --git a/packaging/nan-manager.spec b/packaging/nan-manager.spec

index ba8e5b89b35d56179dfa7f8d4b1254cb5142ac3b..b8b30223722eb3c806ce5e6f0ead9856f8e8f768 100644 (file)
--- a/packaging/nan-manager.spec
+++ b/packaging/nan-manager.spec
@@ -2,7 +2,7 @@
  
  Name:          nan-manager
  Summary:       NAN (Neighbor Awareness Networking) manager (Wi-Fi Aware)
-Version:       0.1.7
+Version:       0.1.8
  Release:       1
  Group:         Network & Connectivity
  License:       Apache-2.0
diff --git a/src/NanHalEventCallbackHandler.cpp b/src/NanHalEventCallbackHandler.cpp

index 9437ba006f980c872bc5bd4c0c24ba9dbbdb628e..4762334f9490d319cd7fe48aead5991a3a45b5a9 100644 (file)
--- a/src/NanHalEventCallbackHandler.cpp
+++ b/src/NanHalEventCallbackHandler.cpp
@@ -239,9 +239,23 @@ void raiseServiceDiscoveredEvent(NanMatchInd *event)
         NanDiscoveryResult discoveryEvent;
         discoveryEvent.subId = event->publish_subscribe_id;
         discoveryEvent.requestorId = event->requestor_instance_id;
+
+       if (event->service_specific_info_len < 0
+                       || event->service_specific_info_len > NAN_MAX_SERVICE_SPECIFIC_INFO_LEN) {
+               NAN_LOGE("Invalid service_specific_info length");
+               return;
+       }
+
         memcpy(discoveryEvent.specificInfo, event->service_specific_info,
                         event->service_specific_info_len);
         discoveryEvent.specificInfoLen = event->service_specific_info_len;
+
+       if (event->sdf_match_filter_len < 0
+                       || event->sdf_match_filter_len > NAN_MAX_MATCH_FILTER_LEN) {
+               NAN_LOGE("Invalid sdf_match_filter length");
+               return;
+       }
+
         memcpy(discoveryEvent.matchFilter, event->sdf_match_filter,
                         event->sdf_match_filter_len);
         discoveryEvent.matchFilterLen = event->sdf_match_filter_len;
@@ -284,6 +298,13 @@ void raiseFollowupEvent(NanFollowupInd *event)
         NanFollowupEvent followupEvent;
         followupEvent.pubSubId = event->publish_subscribe_id;
         followupEvent.requestorId = event->requestor_instance_id;
+
+       if (event->service_specific_info_len < 0
+                       || event->service_specific_info_len > NAN_MAX_SERVICE_SPECIFIC_INFO_LEN) {
+               NAN_LOGE("Invalid service_specific_info length");
+               return;
+       }
+
         memcpy(followupEvent.message, event->service_specific_info,
                         event->service_specific_info_len);
         followupEvent.messageLen = event->service_specific_info_len;
@@ -327,6 +348,13 @@ void raiseDataPathRequestedEvent(NanDataPathRequestInd *event)
         NanDataPathRequestEvent dataPathEvent;
         dataPathEvent.serviceId = event->service_instance_id;
         dataPathEvent.dataPathId = event->ndp_instance_id;
+
+       if (event->app_info.ndp_app_info_len < 0
+                       || event->app_info.ndp_app_info_len > NAN_DP_MAX_APP_INFO_LEN) {
+               NAN_LOGE("Invalid app_info length");
+               return;
+       }
+
         memcpy(dataPathEvent.appInfo,
                         event->app_info.ndp_app_info,
                         event->app_info.ndp_app_info_len);
@@ -357,6 +385,13 @@ void raiseDataPathConfirmedEvent(NanDataPathConfirmInd *event)
  
         NanDataPathConfirmEvent dataPathConfirmEvent;
         dataPathConfirmEvent.dataPathId = event->ndp_instance_id;
+
+       if (event->app_info.ndp_app_info_len < 0
+                       || event->app_info.ndp_app_info_len > NAN_DP_MAX_APP_INFO_LEN) {
+               NAN_LOGE("Invalid app_info length");
+               return;
+       }
+
         memcpy(dataPathConfirmEvent.appInfo,
                         event->app_info.ndp_app_info,
                         event->app_info.ndp_app_info_len);
author	Seonah Moon <seonah1.moon@samsung.com>
	Tue, 25 Aug 2020 06:44:03 +0000 (15:44 +0900)
committer	Seonah Moon <seonah1.moon@samsung.com>
	Tue, 25 Aug 2020 06:44:03 +0000 (15:44 +0900)
packaging/nan-manager.spec		patch \| blob \| history
src/NanHalEventCallbackHandler.cpp		patch \| blob \| history