From: Cheoleun Moon Date: Thu, 2 Apr 2020 07:09:54 +0000 (+0900) Subject: Check bounds of tainted values X-Git-Tag: submit/tizen/20200403.050222~2^2~6^2 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=42ae64eaeda81de9630ad9dc0ba4b22a955a67b0;p=platform%2Fcore%2Fapi%2Fwifi-aware.git Check bounds of tainted values --- diff --git a/test/wifi-aware-test.c b/test/wifi-aware-test.c index 1f911ae..fa2815a 100644 --- a/test/wifi-aware-test.c +++ b/test/wifi-aware-test.c @@ -423,6 +423,10 @@ static int __set_match_filter(unsigned char match_filter[MAX_MATCH_FILTER_LEN + if (scanf("%d", &total_num) < 0) return -1; + if (total_num < 0 || total_num > MAX_MATCH_FILTER_LEN) { + printf("Too many match filters"); + return -1; + } for (int i = 0; i < total_num; ++i) { printf("%d match filter len: ", i); if (scanf("%d", &len) < 0) @@ -434,6 +438,14 @@ static int __set_match_filter(unsigned char match_filter[MAX_MATCH_FILTER_LEN + printf("The length of filter value is not %d\n", len); return -1; } + if (total_len > MAX_MATCH_FILTER_LEN) { + printf("The length of filter value is longer than max length(%d)", MAX_MATCH_FILTER_LEN); + return -1; + } + if (total_len + len > MAX_MATCH_FILTER_LEN) { + printf("The length of filter value is longer than max length(%d)", MAX_MATCH_FILTER_LEN); + return -1; + } match_filter[total_len++] = len; memcpy(&match_filter[total_len], filter, len); total_len += len; @@ -479,7 +491,7 @@ static void __set_publish_config(wifi_aware_publish_h publish) ret = scanf("%d", &set_mf); if (set_mf == 1) { len = __set_match_filter(match_filter); - if (len < 0) { + if (len < 0 || len >= MAX_MATCH_FILTER_LEN) { printf("Not set match filter\n"); return; } @@ -689,7 +701,7 @@ static void __set_subscribe_config(wifi_aware_subscribe_h subscribe) ret = scanf("%d", &set_mf); if (set_mf == 1) { len = __set_match_filter(match_filter); - if (len < 0) { + if (len < 0 || len >= MAX_MATCH_FILTER_LEN) { printf("Not set match filter\n"); return; }