Fix tainted int

 - boundary check
 - strtol exception handling

Change-Id: Ife7ad3f3940f56c88e0f93b8179db4875c894d0b
Signed-off-by: jusung son <jusung07.son@samsung.com>

diff --git a/src/data_control_map.c b/src/data_control_map.c
index 2d12cf8f9452b04f4a4524511e8d6c07045ae28e..76b020c4eadbf71633881caab3fc81e587e9f099 100755 (executable)
--- a/src/data_control_map.c
+++ b/src/data_control_map.c
@@ -156,7 +156,8 @@ EXPORT_API int data_control_map_get_with_page(data_control_h provider,
        int reqId;
 
        if (provider == NULL || provider->provider_id == NULL ||
-                       provider->data_id == NULL || key == NULL) {
+                       provider->data_id == NULL ||
+                       key == NULL || page_number < 1) {
                _LOGE("Invalid parameter");
                return DATA_CONTROL_ERROR_INVALID_PARAMETER;
        }

diff --git a/src/data_control_provider.c b/src/data_control_provider.c
index 4e21c402b7afeeedf043f76278416ef66c38f32e..23687726468b67708b445b24941302157e083a77 100755 (executable)
--- a/src/data_control_provider.c
+++ b/src/data_control_provider.c
@@ -245,21 +245,24 @@ int __datacontrol_get_data_changed_filter_callback_id(void)
        return id;
 }
 
-static int __get_int_from_str(const char *str)
+static bool __get_int_from_str(const char *str, int *trans_value)
 {
-       int result = 0;
+       long result = 0;
        char *pend;
        errno = 0;
        result = strtol(str, &pend, 10);
-       if ((result == LONG_MIN || result == LONG_MAX)
-               && errno != 0) {
-               result = 0;
+       if (result < INT_MIN || result > INT_MAX || errno != 0) {
+               _LOGE("strtol failed :%s [%d]", str, errno);
+               return false;
        }
 
-       if (*pend != '\0')
-               result = 0;
+       if (*pend != '\0') {
+               _LOGE("strtol failed : %s, %s ", str, pend);
+               return false;
+       }
+       *trans_value = (int)result;
 
-       return result;
+       return true;
 }
 
 static bundle *__get_bundle_data_from_fd(int fd)
@@ -1106,12 +1109,24 @@ static int __send_get_value_result(int fd, bundle *b, void *data)
        _LOGI("page num: %s, count_per_page: %s, value_count %s",
                        page_num_str, count_per_page_str, value_count_str);
 
-       if (page_num_str)
-               page_number = __get_int_from_str(page_num_str);
-       if (count_per_page_str)
-               count_per_page = __get_int_from_str(count_per_page_str);
-       if (value_count_str)
-               value_count = __get_int_from_str(value_count_str);
+       if (!page_num_str || !count_per_page_str || !value_count_str) {
+               _LOGE("bundle was corrupted.");
+               return DATA_CONTROL_ERROR_IO_ERROR;
+       }
+
+       if (!__get_int_from_str(page_num_str, &page_number))
+               return DATA_CONTROL_ERROR_IO_ERROR;
+
+       if (page_number < 1) {
+               _LOGE("bundle was corrupted. page_number[%d]", page_number);
+               return DATA_CONTROL_ERROR_IO_ERROR;
+       }
+
+       if (!__get_int_from_str(count_per_page_str, &count_per_page))
+               return DATA_CONTROL_ERROR_IO_ERROR;
+
+       if (!__get_int_from_str(value_count_str, &value_count))
+               return DATA_CONTROL_ERROR_IO_ERROR;
 
        current_offset = (page_number - 1) * count_per_page;
        remain_count = value_count - current_offset;
@@ -1489,6 +1504,9 @@ int __provider_process(bundle *b, int fd, const char *consumer_appid)
        char *provider_id;
        char *caller_appid;
        bundle *value = NULL;
+       int i = 1;
+       int current = 0;
+       int column_count;
 
        const char *request_type =
                bundle_get_val(b, OSP_K_DATACONTROL_REQUEST_TYPE);
@@ -1568,9 +1586,10 @@ int __provider_process(bundle *b, int fd, const char *consumer_appid)
        switch (type) {
        case DATACONTROL_TYPE_SQL_SELECT:
        {
-               int i = 1;
-               int current = 0;
-               int column_count = __get_int_from_str(arg_list[i++]); /* Column count */
+               if (!__get_int_from_str(arg_list[i++], &column_count)) { /* Column count */
+                       _LOGE("Failed to convert column_count", column_count);
+                       goto err;
+               }
 
                if (column_count <= 0 || column_count > MAX_COLUMN_COUNT) {
                        _LOGE("Invalid column count %d", column_count);
@@ -3054,6 +3073,7 @@ int datacontrol_provider_get_select_page_info(
        bundle *b;
        const char *page_num_str;
        const char *count_per_page_str;
+       int result;
 
        if (__request_table == NULL) {
                _LOGE("__request_table is NULL");
@@ -3072,8 +3092,17 @@ int datacontrol_provider_get_select_page_info(
                _LOGE("No page data for the request id: %d, ", request_id);
                return DATA_CONTROL_ERROR_INVALID_PARAMETER;
        }
-       *page_num = __get_int_from_str(page_num_str);
-       *count_per_page = __get_int_from_str(count_per_page_str);
+       if (!__get_int_from_str(page_num_str, &result)) {
+               _LOGE("Failed to convert page_num_str", page_num_str);
+               return DATA_CONTROL_ERROR_IO_ERROR;
+       }
+       *page_num = result;
+
+       if (!__get_int_from_str(count_per_page_str, &result)) {
+               _LOGE("Failed to convert count_per_page_str", count_per_page_str);
+               return DATA_CONTROL_ERROR_IO_ERROR;
+       }
+       *count_per_page = result;
 
        return DATA_CONTROL_ERROR_NONE;
 }