Fix tainted int and deref null

Change-Id: I74507dff2102550215d281fde4149dfbf115c41a
Signed-off-by: Hyunho Kang <hhstark.kang@samsung.com>

diff --git a/src/data-control-internal.c b/src/data-control-internal.c
index 6dfeba3f34ca6b6ddfc34669fa35894179b681e1..3c83cea049e71a546665a877b286922c33adeb2c 100755 (executable)
--- a/src/data-control-internal.c
+++ b/src/data-control-internal.c
@@ -41,7 +41,6 @@
 #include "data-control-internal.h"
 #include "data-control-types.h"
 
-#define MAX_COLUMN_SIZE                                512
 #define MAX_STATEMENT_SIZE                     1024
 #define RESULT_VALUE_COUNT                     "RESULT_VALUE_COUNT"
 #define MAX_COUNT_PER_PAGE             "MAX_COUNT_PER_PAGE"

diff --git a/src/data-control-internal.h b/src/data-control-internal.h
index 57975c2754062274567e1e4b329991952812ded8..c299d24bd9ba389f17092ce252338e962ea08e26 100755 (executable)
--- a/src/data-control-internal.h
+++ b/src/data-control-internal.h
@@ -19,6 +19,7 @@
  * @brief      This is the header file for private keys of the data-control.
  */
 #include <gio/gio.h>
+#include <bundle.h>
 #include "data_control_types.h"
 
 #ifndef _APPFW_DATA_CONTROL_INTERNAL_H_
@@ -56,6 +57,10 @@
 #define DATACONTROL_REQUEST_FILE_PREFIX "/tmp/data-control/datacontrol.request."
 #define DATACONTROL_RESULT_FILE_PREFIX  "/tmp/data-control/datacontrol.result."
 
+#define MAX_REQUEST_ARGUMENT_SIZE      1048576 /* 1MB */
+#define MAX_ROW_COUNT          1024
+#define MAX_COLUMN_SIZE                512
+#define MAX_VALUE_COUNT                1024
 
 /**
  * @brief Enumerations of different type of data control requests.
@@ -116,6 +121,7 @@ int _set_provider_id(datacontrol_h provider, const char *provider_id);
 int _set_data_id(datacontrol_h provider, const char *data_id);
 datacontrol_data_change_type_e _get_internal_noti_type(data_control_data_change_type_e type);
 data_control_data_change_type_e _get_public_noti_type(datacontrol_data_change_type_e type);
+bool _check_int(int num);
 
 #endif /* _APPFW_DATA_CONTROL_INTERNAL_H_ */
 

diff --git a/src/data-control-map.c b/src/data-control-map.c
index 70dee948ff58892a08044128bd284be4a588c6bf..f93a3920a7c71c43fa7188594093cac112e61ee9 100755 (executable)
--- a/src/data-control-map.c
+++ b/src/data-control-map.c
@@ -46,7 +46,6 @@ typedef struct {
 } map_response_cb_s;
 
 static void *datacontrol_map_tree_root = NULL;
-static const int MAX_ARGUMENT_SIZE = 16384; /* 16KB */
 static GHashTable *__socket_pair_hash = NULL;
 
 static void __map_call_cb(const char *provider_id, int request_id, datacontrol_request_type type,
@@ -145,6 +144,10 @@ static char **__map_get_value_list(int fd, int *value_count)
                return NULL;
        }
 
+       if (count < 0 || count > MAX_VALUE_COUNT) {
+               LOGE("invalid count %d", count);
+               return NULL;
+       }
 
        value_list = (char **)calloc(count, sizeof(char *));
        if (value_list == NULL) {
@@ -154,8 +157,12 @@ static char **__map_get_value_list(int fd, int *value_count)
 
        for (i = 0; i < count; i++) {
                if (_read_socket(fd, (char *)&nbytes, sizeof(nbytes), &nb)) {
-                               LOGE("datacontrol_recv_map_get_value_list : ...from %d: fail to read\n", fd);
-                               goto ERROR;
+                       LOGE("datacontrol_recv_map_get_value_list : ...from %d: fail to read\n", fd);
+                       goto ERROR;
+               }
+               if (nbytes < 0 || nbytes > MAX_REQUEST_ARGUMENT_SIZE) {
+                       LOGE("invalid nbytes %d", nbytes);
+                       goto ERROR;
                }
 
                LOGI("nbytes : %d  %d" , nbytes , nb);
@@ -364,7 +371,7 @@ static gboolean __recv_map_message(GIOChannel *channel,
                }
 
                LOGI("__recv_map_message: ...from %d: %d bytes\n", fd, nbytes);
-               if (nbytes > 0) {
+               if (nbytes > 0 && nbytes < MAX_REQUEST_ARGUMENT_SIZE) {
                        buf = (char *) calloc(nbytes + 1, sizeof(char));
                        if (buf == NULL) {
                                LOGE("Malloc failed!!");
@@ -793,7 +800,7 @@ int datacontrol_map_get_with_page(datacontrol_h provider, const char *key, int *
        LOGI("Gets the value list from provider_id: %s, data_id: %s", provider->provider_id, provider->data_id);
 
        arg_size = (strlen(provider->data_id) + strlen(key)) * sizeof(wchar_t);
-       if (arg_size > MAX_ARGUMENT_SIZE) {
+       if (arg_size > MAX_REQUEST_ARGUMENT_SIZE) {
                LOGE("The size of sending argument (%u) exceeds the maximum limit.", arg_size);
                return DATACONTROL_ERROR_MAX_EXCEEDED;
        }
@@ -855,7 +862,7 @@ int datacontrol_map_set(datacontrol_h provider, const char *key, const char *old
        LOGI("Sets the old value to new value in provider_id: %s, data_id: %s", provider->provider_id, provider->data_id);
 
        arg_size = (strlen(provider->data_id) + strlen(key) + strlen(old_value) + strlen(new_value)) * sizeof(wchar_t);
-       if (arg_size > MAX_ARGUMENT_SIZE) {
+       if (arg_size > MAX_REQUEST_ARGUMENT_SIZE) {
                LOGE("The size of sending argument (%u) exceeds the maximum limit.", arg_size);
                return DATACONTROL_ERROR_MAX_EXCEEDED;
        }
@@ -902,7 +909,7 @@ int datacontrol_map_add(datacontrol_h provider, const char *key, const char *val
        LOGI("Adds the value in provider_id: %s, data_id: %s", provider->provider_id, provider->data_id);
 
        arg_size = (strlen(provider->data_id) + strlen(key) + strlen(value)) * sizeof(wchar_t);
-       if (arg_size > MAX_ARGUMENT_SIZE) {
+       if (arg_size > MAX_REQUEST_ARGUMENT_SIZE) {
                LOGE("The size of sending argument (%u) exceeds the maximum limit.", arg_size);
                return DATACONTROL_ERROR_MAX_EXCEEDED;
        }
@@ -948,7 +955,7 @@ int datacontrol_map_remove(datacontrol_h provider, const char *key, const char *
        LOGI("Removes the value in provider_id: %s, data_id: %s", provider->provider_id, provider->data_id);
 
        arg_size = (strlen(provider->data_id) + strlen(key) + strlen(value)) * sizeof(wchar_t);
-       if (arg_size > MAX_ARGUMENT_SIZE) {
+       if (arg_size > MAX_REQUEST_ARGUMENT_SIZE) {
                LOGE("The size of sending argument (%u) exceeds the maximum limit.", arg_size);
                return DATACONTROL_ERROR_MAX_EXCEEDED;
        }

diff --git a/src/data-control-provider.c b/src/data-control-provider.c
index a07b790e21cd89eb88914b5d8bbd501a12ec4045..14d905815fc0397c088b50682315c92f080bbced 100755 (executable)
--- a/src/data-control-provider.c
+++ b/src/data-control-provider.c
@@ -192,7 +192,7 @@ static int __send_select_result(int fd, bundle *b, void *data)
        sqlite3_int64 offset_idx = 0;
        sqlite3_int64 row_count = 0;
        unsigned int nb = 0;
-       int type;
+       int type = 0;
        int column_name_len;
        const char *page_number_str;
        int size = 0;
@@ -358,7 +358,10 @@ static int __send_select_result(int fd, bundle *b, void *data)
                                case SQLITE_TEXT:
                                        type = 3;
                                        value = (char *)sqlite3_column_text(state, i);
-                                       size = strlen(value) + 1;
+                                       if (value)
+                                               size = strlen(value) + 1;
+                                       else
+                                               size = 0;
                                        break;
                                case SQLITE_BLOB:
                                        type = 4;
@@ -539,7 +542,7 @@ static bundle *__get_data_sql(int fd)
                return NULL;
        }
 
-       if (len > 0) {
+       if (len > 0 && len < MAX_REQUEST_ARGUMENT_SIZE) {
                buf = (char *)calloc(len, sizeof(char));
                if (buf == NULL) {
                        LOGE("calloc fail");
@@ -1081,7 +1084,7 @@ int __provider_process(bundle *b, int fd)
        {
                int i = 1;
                int current = 0;
-               int column_count = atoi(arg_list[i++]); /* Column count */
+               int column_count = _get_int_from_str(arg_list[i++]); /* Column count */
 
                LOGI("SELECT column count: %d", column_count);
                column_list = (const char **)malloc(column_count * (sizeof(char *)));
@@ -1234,7 +1237,7 @@ gboolean __provider_recv_message(GIOChannel *channel,
                }
 
                LOGI("__provider_recv_message: ...from %d: %d bytes\n", fd, data_len);
-               if (data_len > 0) {
+               if (data_len > 0 && data_len < MAX_REQUEST_ARGUMENT_SIZE) {
                        bundle *kb = NULL;
 
                        buf = (char *)calloc(data_len + 1, sizeof(char));
@@ -1406,6 +1409,12 @@ static int __provider_noti_process(bundle *b, datacontrol_request_type type)
        }
        provider->provider_id = (char *)bundle_get_val(b, OSP_K_DATACONTROL_PROVIDER);
        provider->data_id = (char *)bundle_get_val(b, OSP_K_DATACONTROL_DATA);
+       if (provider->provider_id == NULL || provider->data_id == NULL) {
+               LOGE("invalid provider value %s, %s", provider->provider_id, provider->data_id);
+               free(provider);
+               return DATACONTROL_ERROR_INVALID_PARAMETER;
+       }
+
        LOGI("Noti Provider ID: %s, data ID: %s, request type: %d", provider->provider_id, provider->data_id, type);
        path = _get_encoded_path(provider, caller_app_id);
        if (path == NULL) {

diff --git a/src/data-control-sql-cursor.c b/src/data-control-sql-cursor.c
index fb5cc4abd64e447aed3e6cde3ee9e8bdbe2685e7..b2ddc0a56347531139d3b5b75ab4efbaa35914c8 100755 (executable)
--- a/src/data-control-sql-cursor.c
+++ b/src/data-control-sql-cursor.c
@@ -24,7 +24,9 @@
 #include <sys/stat.h>
 #include <fcntl.h>
 
+
 #include "data-control-sql-cursor.h"
+#include "data-control-internal.h"
 
 #undef LOG_TAG
 #ifndef LOG_TAG
@@ -32,7 +34,6 @@
 #endif
 
 #define ERR_BUFFER_SIZE                1024
-#define MAX_ROW_COUNT          1024
 
 resultset_cursor *datacontrol_sql_get_cursor()
 {
@@ -150,6 +151,11 @@ int datacontrol_sql_get_column_name(resultset_cursor *cursor, int column_index,
                        return DATACONTROL_ERROR_IO_ERROR;
                }
 
+               if (column_len < 0 || column_len > MAX_COLUMN_SIZE) {
+                       LOGE("Invalid column_len: %d", column_len);
+                       return DATACONTROL_ERROR_IO_ERROR;
+               }
+
                if (i == column_index) {
                        col_name = (char *)calloc(column_len, sizeof(char));
                        ret = read(fd, col_name, column_len);
@@ -352,7 +358,7 @@ int datacontrol_sql_get_blob_data(resultset_cursor *cursor, int column_index, vo
                return DATACONTROL_ERROR_MAX_EXCEEDED; /* overflow */
        }
 
-       if (size > 0) {
+       if (size > 0 && size < MAX_REQUEST_ARGUMENT_SIZE) {
                data = (char *)malloc((size + 1) * (sizeof(char)));
                memset(data, 0, size + 1);
 
@@ -365,6 +371,9 @@ int datacontrol_sql_get_blob_data(resultset_cursor *cursor, int column_index, vo
 
                memcpy(buffer, data, size + 1);
                free(data);
+       } else {
+               LOGE("Invalid size %d", size);
+               return DATACONTROL_ERROR_IO_ERROR;
        }
        return DATACONTROL_ERROR_NONE;
 }
@@ -561,7 +570,7 @@ int datacontrol_sql_get_text_data(resultset_cursor *cursor, int column_index, ch
                return DATACONTROL_ERROR_IO_ERROR;
        }
 
-       if (size > 0) {
+       if (size > 0 && size < MAX_REQUEST_ARGUMENT_SIZE) {
                data = (char *)malloc((size + 1) * (sizeof(char)));
                if (!data) {
                        LOGE("unable to create buffer to read");
@@ -578,6 +587,9 @@ int datacontrol_sql_get_text_data(resultset_cursor *cursor, int column_index, ch
 
                memcpy(buffer, data, size + 1);
                free(data);
+       } else {
+               LOGE("Invalid size %d", size);
+               return DATACONTROL_ERROR_IO_ERROR;
        }
 
        return DATACONTROL_ERROR_NONE;

diff --git a/src/data-control-sql.c b/src/data-control-sql.c
index 06f7afa19e86b750022ac8af33a044b1e9e4264a..8f3d9f288f75e82eecb97666fed2a9a50baea845 100755 (executable)
--- a/src/data-control-sql.c
+++ b/src/data-control-sql.c
@@ -41,7 +41,6 @@
 #include "data-control-internal.h"
 
 #define REQUEST_PATH_MAX               512
-#define MAX_REQUEST_ARGUMENT_SIZE      1048576 /* 1MB */
 
 typedef struct {
        char *provider_id;
@@ -362,6 +361,12 @@ static int __recv_sql_select_process(bundle *kb, int fd, resultset_cursor *curso
                        goto out;
                }
 
+               if (column_name_len < 0 || column_name_len > MAX_COLUMN_SIZE) {
+                       retval = DATACONTROL_ERROR_IO_ERROR;
+                       LOGE("Invalid column_name_len %d", column_name_len);
+                       goto out;
+               }
+
                LOGE("column_name_len : %d", column_name_len);
                if (write(result_fd, &column_name_len, sizeof(int)) == -1) {
                        LOGE("Writing a column_type to a file descriptor is failed. errno = %d", errno);
@@ -414,6 +419,12 @@ static int __recv_sql_select_process(bundle *kb, int fd, resultset_cursor *curso
                goto out;
        }
 
+       if (row_count < 0 || row_count > MAX_ROW_COUNT) {
+               LOGE("invalid row_count %d", row_count);
+               retval = DATACONTROL_ERROR_IO_ERROR;
+               goto out;
+       }
+
        LOGE("row_count : %lld", row_count);
        if (write(result_fd, &row_count, sizeof(row_count)) == -1) {
                LOGE("Writing a row_count to a file descriptor is failed. errno = %d", errno);
@@ -462,7 +473,7 @@ static int __recv_sql_select_process(bundle *kb, int fd, resultset_cursor *curso
                                goto out;
                        }
 
-                       if (size > 0) {
+                       if (size > 0 && size < MAX_REQUEST_ARGUMENT_SIZE) {
                                value = (void *)malloc(sizeof(void) * size);
                                if (value == NULL) {
                                        LOGE("Out of mememory");
@@ -539,7 +550,7 @@ static gboolean __consumer_recv_sql_message(GIOChannel *channel,
                        LOGE("__consumer_recv_sql_message: ...from %d: EOF\n", fd);
                        goto error;
                }
-               if (data_len > 0) {
+               if (data_len > 0 && data_len < MAX_REQUEST_ARGUMENT_SIZE) {
                        buf = (char *)calloc(data_len + 1, sizeof(char));
                        if (buf == NULL) {
                                LOGE("Out of memory.");

diff --git a/src/data_control_internal.c b/src/data_control_internal.c
index 0a880102fd5603235fe3301a003b7995da998fc3..2ffa68d35969d17c1ed0f8d5c3cf1020d40cb914 100755 (executable)
--- a/src/data_control_internal.c
+++ b/src/data_control_internal.c
@@ -41,7 +41,7 @@
 int datacontrol_check_privilege(privilege_type check_type)
 {
 
-       cynara *p_cynara;
+       cynara *p_cynara = NULL;
 
        int fd = 0;
        int ret = 0;