Fixing prevent major defects in security-server.

author Marcin Niesluchowski <m.niesluchow@samsung.com>

Fri, 14 Jun 2013 08:51:30 +0000 (10:51 +0200)

committer Bartlomiej Grzelewski <b.grzelewski@samsung.com>

Thu, 6 Feb 2014 16:11:45 +0000 (17:11 +0100)
author Marcin Niesluchowski <m.niesluchow@samsung.com>
Fri, 14 Jun 2013 08:51:30 +0000 (10:51 +0200)
committer Bartlomiej Grzelewski <b.grzelewski@samsung.com>
Thu, 6 Feb 2014 16:11:45 +0000 (17:11 +0100)
diff --git a/src/client/security-server-client.c b/src/client/security-server-client.c

index d3bc4ac..cc91e0c 100644 (file)
--- a/src/client/security-server-client.c
+++ b/src/client/security-server-client.c
@@ -163,7 +163,7 @@ static int recv_exec_path_response(int sockfd, response_header *hdr, char** path
         }
  
         retval = TEMP_FAILURE_RETRY(read(sockfd, &size, sizeof(size_t)));
-       if(retval < (ssize_t)sizeof(size_t) || size == 0)
+       if(retval < (ssize_t)sizeof(size_t) || size == 0 || size > MESSAGE_MAX_LEN)
         {
                 /* Error on socket */
                 SEC_SVR_ERR("read() failed: %d", retval);
diff --git a/src/communication/security-server-comm.c b/src/communication/security-server-comm.c

index e4ae049..49d30cc 100644 (file)
--- a/src/communication/security-server-comm.c
+++ b/src/communication/security-server-comm.c
@@ -2072,7 +2072,7 @@ int recv_pid_privilege_request(int sockfd, int datasize, int * pid, char ** obje
      memcpy(*object, buff + sizeof(int), object_size);
  
      //get access_rights
-    access_rights_size = datasize - sizeof(int) - object_size;
+    access_rights_size = datasize - object_size - sizeof(int);
      *access_rights = (char *)malloc(access_rights_size);
      memcpy(*access_rights, buff + sizeof(int) + object_size, access_rights_size);
  
diff --git a/src/include/security-server-common.h b/src/include/security-server-common.h

index f4bd665..59bb8e2 100644 (file)
--- a/src/include/security-server-common.h
+++ b/src/include/security-server-common.h
@@ -76,6 +76,7 @@
  #define SECURITY_SERVER_PASSWORD_RETRY_TIMEOUT_MICROSECOND  500000   /* = 500 milliseconds */
  #define SECURITY_SERVER_MAX_PASSWORD_HISTORY   50
  #define SECURITY_SERVER_NUM_THREADS                    10
+#define MESSAGE_MAX_LEN                                 1048576
  
  /* API prefix */
  #ifndef SECURITY_SERVER_API
diff --git a/src/server/security-server-main.c b/src/server/security-server-main.c

index af3be83..20d9d9e 100644 (file)
--- a/src/server/security-server-main.c
+++ b/src/server/security-server-main.c
@@ -1570,8 +1570,12 @@ void *security_server_thread(void *param)
          authorize_SS_API_caller_socket(client_sockfd, API_DATA_SHARE, API_RULE_REQUIRED);
          if (client_has_access(client_sockfd, API_DATA_SHARE)) {
              SEC_SVR_DBG("%s", "Server: app give access request received");
-            process_app_get_access_request(client_sockfd,
-              basic_hdr.msg_len - sizeof(basic_hdr));
+            if (basic_hdr.msg_len >= 0 && (size_t)basic_hdr.msg_len >= sizeof(basic_hdr)) {
+                process_app_get_access_request(client_sockfd,
+                  basic_hdr.msg_len - sizeof(basic_hdr));
+            } else {
+                SEC_SVR_ERR("ERROR: Invalid message length: %d", basic_hdr.msg_len);
+            }
          } else {
              SEC_SVR_DBG("%s", "Server: app give access request received (API DENIED - request will not proceed)");
              send_generic_response(client_sockfd,
author	Marcin Niesluchowski <m.niesluchow@samsung.com>
	Fri, 14 Jun 2013 08:51:30 +0000 (10:51 +0200)
committer	Bartlomiej Grzelewski <b.grzelewski@samsung.com>
	Thu, 6 Feb 2014 16:11:45 +0000 (17:11 +0100)
src/client/security-server-client.c		patch \| blob \| history
src/communication/security-server-comm.c		patch \| blob \| history
src/include/security-server-common.h		patch \| blob \| history
src/server/security-server-main.c		patch \| blob \| history