[IMPROVE] check on incorrect data

diff --git a/parser/msg_buf.c b/parser/msg_buf.c
index 25be215..82a93cf 100644 (file)
--- a/parser/msg_buf.c
+++ b/parser/msg_buf.c
@@ -37,6 +37,11 @@ int cmp_mb(struct msg_buf *mb, size_t size)
        return 0;
 }
 
+size_t remained_mb(struct msg_buf *mb)
+{
+       return mb->end - mb->ptr;
+}
+
 int get_u32(struct msg_buf *mb, u32 *val)
 {
        if (cmp_mb(mb, sizeof(*val)) < 0)

diff --git a/parser/msg_buf.h b/parser/msg_buf.h
index 79292f6..77136f8 100644 (file)
--- a/parser/msg_buf.h
+++ b/parser/msg_buf.h
@@ -13,6 +13,7 @@ int init_mb(struct msg_buf *mb, size_t size);
 void uninit_mb(struct msg_buf *mb);
 
 int cmp_mb(struct msg_buf *mb, size_t size);
+size_t remained_mb(struct msg_buf *mb);
 
 int get_u32(struct msg_buf *mb, u32 *val);
 int get_u64(struct msg_buf *mb, u64 *val);

diff --git a/parser/msg_parser.c b/parser/msg_parser.c
index 991fb8c..c32d8fe 100644 (file)
--- a/parser/msg_parser.c
+++ b/parser/msg_parser.c
@@ -206,6 +206,9 @@ struct lib_inst_data *create_lib_inst_data(struct msg_buf *mb)
        if (get_u32(mb, &cnt))
                return NULL;
 
+       if (remained_mb(mb) / MIN_SIZE_FUNC_INST < cnt)
+               return NULL;
+
        li = kmalloc(sizeof(*li), GFP_KERNEL);
        if (li)
                goto free_path;
@@ -278,6 +281,9 @@ struct app_inst_data *create_app_inst_data(struct msg_buf *mb)
        if (get_u32(mb, &cnt_func))
                goto free_app_info;
 
+       if (remained_mb(mb) / MIN_SIZE_FUNC_INST < cnt_func)
+               goto free_app_info;
+
        app_inst = kmalloc(sizeof(*app_inst), GFP_KERNEL);
        if (app_inst == NULL)
                goto free_app_info;
@@ -298,6 +304,9 @@ struct app_inst_data *create_app_inst_data(struct msg_buf *mb)
        if (get_u32(mb, &cnt_lib))
                goto free_func;
 
+       if (remained_mb(mb) / MIN_SIZE_LIB_INST < cnt_lib)
+               goto free_func;
+
        app_inst->lib = kmalloc(sizeof(struct lib_inst_data *) * cnt_lib,
                                GFP_KERNEL);
        if (app_inst->lib == NULL)
@@ -368,7 +377,10 @@ struct us_inst_data *create_us_inst_data(struct msg_buf *mb)
        if (get_u32(mb, &cnt))
                return NULL;
 
-       ui = kmalloc(sizeof(struct us_inst_data) * cnt, GFP_KERNEL);
+       if (remained_mb(mb) / MIN_SIZE_APP_INST < cnt)
+               return NULL;
+
+       ui = kmalloc(sizeof(struct us_inst_data), GFP_KERNEL);
        if (ui == NULL)
                return NULL;
 

diff --git a/parser/msg_parser.h b/parser/msg_parser.h
index 2de6fdd..5b69095 100644 (file)
--- a/parser/msg_parser.h
+++ b/parser/msg_parser.h
@@ -11,6 +11,10 @@ enum APP_TYPE {
        AT_COMMON_EXEC          = 0x03
 };
 
+enum {
+       SIZE_APP_TYPE = 4
+};
+
 /* Basic application information */
 struct app_info_data {
        enum APP_TYPE app_type;
@@ -72,4 +76,24 @@ void destroy_app_inst_data(struct app_inst_data *app_inst);
 struct us_inst_data *create_us_inst_data(struct msg_buf *mb);
 void destroy_us_inst_data(struct us_inst_data *us_inst);
 
+
+/* empty functions for calculating size fields in structures */
+struct func_inst_data make_func_inst_data(void);
+struct lib_inst_data make_lib_inst_data(void);
+struct app_inst_data make_app_inst_data(void);
+struct us_inst_data make_us_inst_data(void);
+
+enum {
+       MIN_SIZE_STRING = 1,
+       MIN_SIZE_FUNC_INST = sizeof(make_func_inst_data().addr) +
+                            MIN_SIZE_STRING,
+       MIN_SIZE_LIB_INST = MIN_SIZE_STRING +
+                           sizeof(make_lib_inst_data().cnt_func),
+       MIN_SIZE_APP_INFO = SIZE_APP_TYPE + MIN_SIZE_STRING + MIN_SIZE_STRING,
+       MIN_SIZE_APP_INST = MIN_SIZE_APP_INFO +
+                           sizeof(make_app_inst_data().cnt_func) +
+                           sizeof(make_app_inst_data().cnt_lib),
+       MIN_SIZE_US_INST = sizeof(make_us_inst_data().cnt)
+};
+
 #endif /* _MSG_PARSER_H */