projects / platform / core / api / wifi-aware.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 0acb5c1)
Check bounds of tainted values
authorCheoleun Moon <chleun.moon@samsung.com>
Thu, 2 Apr 2020 07:09:54 +0000 (16:09 +0900)
committerCheoleun Moon <chleun.moon@samsung.com>
Thu, 2 Apr 2020 07:09:54 +0000 (16:09 +0900)
test/wifi-aware-test.c patch | blob | history

diff --git a/test/wifi-aware-test.c b/test/wifi-aware-test.c
index 1f911ae83023b644fbe538a3a7cc8471f0842613..fa2815ad48a88d806de7fa331c341ec8e843b92b 100644 (file)
--- a/test/wifi-aware-test.c
+++ b/test/wifi-aware-test.c
@@ -423,6 +423,10 @@ static int __set_match_filter(unsigned char match_filter[MAX_MATCH_FILTER_LEN +
        if (scanf("%d", &total_num) < 0)
                return -1;
 
+       if (total_num < 0 || total_num > MAX_MATCH_FILTER_LEN) {
+               printf("Too many match filters");
+               return -1;
+       }
        for (int i = 0; i < total_num; ++i) {
                printf("%d match filter len: ", i);
                if (scanf("%d", &len) < 0)
@@ -434,6 +438,14 @@ static int __set_match_filter(unsigned char match_filter[MAX_MATCH_FILTER_LEN +
                        printf("The length of filter value is not %d\n", len);
                        return -1;
                }
+               if (total_len > MAX_MATCH_FILTER_LEN) {
+                       printf("The length of filter value is longer than max length(%d)", MAX_MATCH_FILTER_LEN);
+                       return -1;
+               }
+               if (total_len + len > MAX_MATCH_FILTER_LEN) {
+                       printf("The length of filter value is longer than max length(%d)", MAX_MATCH_FILTER_LEN);
+                       return -1;
+               }
                match_filter[total_len++] = len;
                memcpy(&match_filter[total_len], filter, len);
                total_len += len;
@@ -479,7 +491,7 @@ static void __set_publish_config(wifi_aware_publish_h publish)
        ret = scanf("%d", &set_mf);
        if (set_mf == 1) {
                len = __set_match_filter(match_filter);
-               if (len < 0) {
+               if (len < 0 || len >= MAX_MATCH_FILTER_LEN) {
                        printf("Not set match filter\n");
                        return;
                }
@@ -689,7 +701,7 @@ static void __set_subscribe_config(wifi_aware_subscribe_h subscribe)
        ret = scanf("%d", &set_mf);
        if (set_mf == 1) {
                len = __set_match_filter(match_filter);
-               if (len < 0) {
+               if (len < 0 || len >= MAX_MATCH_FILTER_LEN) {
                        printf("Not set match filter\n");
                        return;
                }
Domain: Network & Connectivity / WiFi;