Fix SVACE issue

add bounds checking to process_target_bins

Change-Id: I517306a4479e277b5f8ea2289f14373f253ec8ab
Signed-off-by: Vitaliy Cherepanov <v.cherepanov@samsung.com>

diff --git a/helper/got_patching.c b/helper/got_patching.c
index 6cd5ad696d23c0ad460c16eb312608811ed5fe54..1d875299ee6a0d1536c32ff65455e5c91490ae5c 100644 (file)
--- a/helper/got_patching.c
+++ b/helper/got_patching.c
@@ -78,7 +78,18 @@ typedef unsigned long (*find_name_cb_t)(const struct link_map *, const char *);
 extern char *program_invocation_name;
 static bool inited = false;
 
-static void _process_target_bins(char *bins_data)
+static int decrease_size(size_t *size, size_t need)
+{
+       if (*size < need) {
+               PRINTERR("wrong buffer size");
+               return -EINVAL;
+       }
+
+       *size -= need;
+       return 0;
+}
+
+static void _process_target_bins(char *bins_data, size_t avail_size)
 {
        uint32_t cnt;
        uint32_t len;
@@ -87,13 +98,22 @@ static void _process_target_bins(char *bins_data)
        unsigned int i;
        int ret;
 
+       if (decrease_size(&avail_size, sizeof(cnt)))
+               return;
+
        cnt = *(uint32_t *)ptr;
        ptr += sizeof(cnt);
 
        for (i = 0; i < cnt; i++) {
+               if (decrease_size(&avail_size, sizeof(len)))
+                       return;
+
                len = *(uint32_t *)ptr;
                ptr += sizeof(len);
 
+               if (decrease_size(&avail_size, len))
+                       return;
+
                path = malloc(len);
                if (path == NULL) {
                        // TODO Error! error! error!
@@ -553,13 +573,13 @@ void init_features(void)
        _init_feature_ptrs();
 }
 
-void process_got_patching(char *data)
+void process_got_patching(char *data, size_t size)
 {
        if (!inited) {
                _init_linker_addr();
                inited = true;
        }
-       _process_target_bins(data);
+       _process_target_bins(data, size);
        _process_features();
 }
 

diff --git a/helper/got_patching.h b/helper/got_patching.h
index 2f76fe3a1060f2d5f301f0b16203486abddf8b5c..9783575f87d2a5e94484ab4a92810b33c2e33114 100644 (file)
--- a/helper/got_patching.h
+++ b/helper/got_patching.h
@@ -1,7 +1,7 @@
 #ifndef __GOT_PATCHING_H__
 #define __GOT_PATCHING_H__
 
-void process_got_patching(char *data);
+void process_got_patching(char *data, size_t size);
 void restore_got_patching(void);
 void init_features(void);
 

diff --git a/helper/libdaprobe.c b/helper/libdaprobe.c
index cf62edd0024a7b5f726308e40961e8394f99402d..2bdafda73adcdc3daac8caedf9f10e438f52ebeb 100755 (executable)
--- a/helper/libdaprobe.c
+++ b/helper/libdaprobe.c
@@ -115,9 +115,9 @@ static void _configure(char* configstr)
                 gTraceInfo.features.feature_0, gTraceInfo.features.feature_1);
 }
 
-static void _process_target_bins(char *data_buf)
+static void _process_target_bins(char *data_buf, size_t size)
 {
-       process_got_patching(data_buf);
+       process_got_patching(data_buf, size);
 }
 
 void application_exit()
@@ -247,6 +247,7 @@ static int create_socket(void)
        while (((recved & MSG_CONFIG_RECV) == 0) ||
               ((recved & MSG_TARGET_BINS_RECV) == 0)) {
                const char *data_buf;
+               size_t data_size;
 
                PRINTMSG("wait incoming message %d\n",
                         gTraceInfo.socket.daemonSock);
@@ -261,13 +262,14 @@ static int create_socket(void)
                }
 
                data_buf = log.data;
+               data_size = log.length;
                if (log.type == APP_MSG_CONFIG) {
                        PRINTMSG("APP_MSG_CONFIG");
                        _configure((char *)data_buf);
                        recved |= MSG_CONFIG_RECV;
                } else if (log.type == APP_MSG_TARGET_BINS) {
                        PRINTMSG("APP_MSG_TARGET_BINS");
-                       _process_target_bins((char *)data_buf);
+                       _process_target_bins((char *)data_buf, data_size);
                        recved |= MSG_TARGET_BINS_RECV;
                } else {
                        // unexpected case
@@ -352,6 +354,7 @@ static void *recv_thread(void __unused * data)
                } else if (FD_ISSET(gTraceInfo.socket.daemonSock, &workfds)) {
                        int ret;
                        const char *data_buf;
+                       size_t data_size;
 
                        ret = read_log(gTraceInfo.socket.daemonSock, &log);
                        if (ret) {
@@ -362,12 +365,13 @@ static void *recv_thread(void __unused * data)
                        }
 
                        data_buf = log.data;
+                       data_size = log.length;
                        if (log.type == APP_MSG_CAPTURE_SCREEN) {
                                capture_screen_call();
                        } else if (log.type == APP_MSG_CONFIG) {
                                _configure((char *)data_buf);
                        } else if (log.type == APP_MSG_TARGET_BINS) {
-                               _process_target_bins((char *)data_buf);
+                               _process_target_bins((char *)data_buf, data_size);
                        } else if (log.type == APP_MSG_STOP) {
                                /* Send acknowlege message to manager */
                                printLog(&log, APP_MSG_STOP);