Check length of data

Change-Id: I0d3c6b52473774f99c0d57be74b209d3ddef4bf6

diff --git a/src/NanDbusHandler.cpp b/src/NanDbusHandler.cpp
index 4f129cf34d9d5e494765bdb084c2972ea413a8e7..c8a4f3412c8b26423c148add7f94282d884e25e6 100644 (file)
--- a/src/NanDbusHandler.cpp
+++ b/src/NanDbusHandler.cpp
@@ -33,7 +33,7 @@ void NanDbusHandler::setNanServiceProvider(NanServiceProvider *serviceProvider)
 void NanDbusHandler::registerHandler(NanDbusManager *dbusManager)
 {
        NAN_LOGD("registerHandler");
-       
+
        if (dbusManager == nullptr) {
                NAN_LOGE("dbusManager is nullptr");
                return;
@@ -93,7 +93,7 @@ void NanDbusHandler::clientDestroyedCallback(GDBusConnection *connection,
                config->setDbusResource(NULL, NULL);
                serviceProvider->disable(config, data->clientId);
        }
-       
+
        g_free(data->clientConnName);
        g_free(data);
 }
@@ -375,8 +375,13 @@ gboolean NanDbusHandler::openDataPathPskHandler(NanDbusDiscovery *object,
        // TODO:
        // config->securityConfig.cipherType = getCipherType()
        config->securityConfig.securityType = NAN_SECURITY_TYPE_PASSPHRASE;
-       config->securityConfig.keyLen = strlen(psk);
-       memcpy(config->securityConfig.passphrase, psk, config->securityConfig.keyLen); 
+       auto len = strlen(psk);
+       if (len > NAN_MAX_PASSPHRASE_LEN) {
+               NAN_LOGE("Invalid psk length[%ld]", len);
+               return false;
+       }
+       config->securityConfig.keyLen = len;
+       memcpy(config->securityConfig.passphrase, psk, config->securityConfig.keyLen);
 
        NanError ret = serviceProvider->openDataPath(config,
                        clientId, pubSubId, peerId, (NanDataPathRole)role);

diff --git a/src/NanHal.cpp b/src/NanHal.cpp
index eb36f3bfdbeb1943008988ea8dd76211229c6f35..1f47d1c640aa04c379d017b4a22a29a91e71b764 100644 (file)
--- a/src/NanHal.cpp
+++ b/src/NanHal.cpp
@@ -56,7 +56,7 @@ NanError NanHal::init(void)
        wifi_error ret = WIFI_ERROR_NONE;
 
        loadHalLibrary(HAL_LIBRARY);
-       
+
        ret = initWifiVendorHalFuncTable(&mFunctionTable);
        if (ret != WIFI_SUCCESS) {
                NAN_LOGE("Failed to initialize legacy HAL function table [%d]", ret);
@@ -658,7 +658,7 @@ NanEnableRequest* NanHal::convertEnableConfigToLegacy(std::shared_ptr<EnableConf
 
        nanEnableReq->config_nss = config->configNss;
        nanEnableReq->nss = config->nss;
-       
+
        nanEnableReq->config_enable_ranging = config->configEnableRanging;
        nanEnableReq->enable_ranging = config->enableRanging;
 
@@ -777,11 +777,11 @@ NanPublishRequest* NanHal::convertPublishConfigToLegacy(std::shared_ptr<PublishC
        nanPublishReq->rssi_threshold_flag = config->useRssiThreshold;
        nanPublishReq->connmap = 0;
 
-       /* 
+       /*
       Set/Enable corresponding bits to disable any indications that follow a publish.
       BIT0(0x1) - Disable publish termination indication.
       BIT1(0x2) - Disable match expired indication. // 0x2
-      BIT2(0x4) - Disable followUp indication received (OTA). 
+      BIT2(0x4) - Disable followUp indication received (OTA).
       BIT3(0x8) - Disable publishReplied indication.
     */
        nanPublishReq->recv_indication_cfg = 0;
@@ -794,8 +794,8 @@ NanPublishRequest* NanHal::convertPublishConfigToLegacy(std::shared_ptr<PublishC
                config->autoAcceptDataPathRequest ?
                NAN_SERVICE_ACCEPT_POLICY_ALL : NAN_SERVICE_ACCEPT_POLICY_NONE;
        nanPublishReq->cipher_type = 0;
- 
-       /* 
+
+       /*
          TODO: Ranging
        */
        if (config->enableRanging) {
@@ -954,7 +954,7 @@ NanTransmitFollowupRequest* NanHal::convertFollowupConfigToLegacy(std::shared_pt
 
        nanTransmitFollowupReq->publish_subscribe_id = pubSubId;
        nanTransmitFollowupReq->requestor_instance_id = config->requestorId;
-       
+
        memcpy(&nanTransmitFollowupReq->addr, config->addr, NAN_MAC_ADDR_LEN);
 
        nanTransmitFollowupReq->priority =
@@ -980,7 +980,7 @@ NanTransmitFollowupRequest* NanHal::convertFollowupConfigToLegacy(std::shared_pt
 
 NanDataPathInitiatorRequest* NanHal::convertDataPathConfigToLegacyRequest(std::shared_ptr<DataPathConfig> config)
 {
-       NanDataPathInitiatorRequest *ndpInitiatorReq 
+       NanDataPathInitiatorRequest *ndpInitiatorReq
                = (NanDataPathInitiatorRequest *)calloc(1, sizeof(NanDataPathInitiatorRequest));
        if (!ndpInitiatorReq) {
                NAN_LOGE("Out of memory");
@@ -1030,7 +1030,13 @@ NanDataPathInitiatorRequest* NanHal::convertDataPathConfigToLegacyRequest(std::s
                        break;
        }
 
-       ndpInitiatorReq->service_name_len = strlen(config->serviceName);
+       auto len = strlen(config->serviceName);
+       if (len > NAN_MAX_SERVICE_NAME_LEN) {
+               NAN_LOGE("Invalid parameter: ndpInitiatorReq->service_name_len[%ld]", len);
+               free(ndpInitiatorReq);
+               return nullptr;
+       }
+       ndpInitiatorReq->service_name_len = len;
        memcpy(&ndpInitiatorReq->service_name,
                        config->serviceName, ndpInitiatorReq->service_name_len);
 
@@ -1086,7 +1092,13 @@ NanDataPathIndicationResponse* NanHal::convertDataPathConfigToLegacyResponse(std
                        break;
        }
 
-       ndpIndicationResp->service_name_len = strlen(config->serviceName);
+       auto len = strlen(config->serviceName);
+       if (len > NAN_MAX_SERVICE_NAME_LEN) {
+               NAN_LOGE("Invalid parameter: ndpIndicationResp->service_name_len[%ld]", len);
+               free(ndpIndicationResp);
+               return nullptr;
+       }
+       ndpIndicationResp->service_name_len = len;
        memcpy(&ndpIndicationResp->service_name,
                        config->serviceName, ndpIndicationResp->service_name_len);