From: Hauke Mehrtens Date: Wed, 22 Jun 2016 09:41:43 +0000 (+0200) Subject: Fix memory corruption when reading integers from cbor X-Git-Tag: 1.2.0+RC1~165 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=87a05a6977ba8c28774b3f0b9cf1eb15a7e6d6ec;p=platform%2Fupstream%2Fiotivity.git Fix memory corruption when reading integers from cbor When the cbor_value_get_*() function is called with a pointer to some int, it should have the correct size. When we cast it to something else it is treated as a pointer to an uint64_t in the function for example and them 64 bits gets written to memory even with the real type is only 32 bit long. When the real type is only 32 bit long some other memory gets overwritten. On Big endian systems the least significant bits are cut of so in most cases 0 is read. With this patch a value cast is used and the value is converted to the other size. This is the same as in commit 0d64c7c95a5c11a9fb5201e729fd8c75da210c80 "security: fix reading of permission attribute from configuration" Change-Id: If5965491241e25ebf60a22dc45d37d74a33cb02f Signed-off-by: Hauke Mehrtens Reviewed-on: https://gerrit.iotivity.org/gerrit/8925 Tested-by: jenkins-iotivity Reviewed-by: Randeep Singh --- diff --git a/resource/csdk/security/src/crlresource.c b/resource/csdk/security/src/crlresource.c index 23781b7..aa4252c 100644 --- a/resource/csdk/security/src/crlresource.c +++ b/resource/csdk/security/src/crlresource.c @@ -185,8 +185,11 @@ OCStackResult CBORPayloadToCrl(const uint8_t *cborPayload, const size_t size, cborFindResult = cbor_value_map_find_value(&crlCbor, OIC_CBOR_CRL_ID, &crlMap); if (CborNoError == cborFindResult && cbor_value_is_integer(&crlMap)) { - cborFindResult = cbor_value_get_int(&crlMap, (int *) &crl->CrlId); + int CrlId; + + cborFindResult = cbor_value_get_int(&crlMap, &CrlId); VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Finding CrlId."); + crl->CrlId = (uint16_t)CrlId; } cborFindResult = cbor_value_map_find_value(&crlCbor, OIC_CBOR_CRL_THIS_UPDATE, &crlMap); diff --git a/resource/csdk/security/src/doxmresource.c b/resource/csdk/security/src/doxmresource.c index cc16a54..8dd6b1a 100644 --- a/resource/csdk/security/src/doxmresource.c +++ b/resource/csdk/security/src/doxmresource.c @@ -394,8 +394,11 @@ static OCStackResult CBORPayloadToDoxmBin(const uint8_t *cborPayload, size_t siz int i = 0; while (cbor_value_is_valid(&oxm) && cbor_value_is_integer(&oxm)) { - cborFindResult = cbor_value_get_int(&oxm, (int *) &doxm->oxm[i++]); + int tmp; + + cborFindResult = cbor_value_get_int(&oxm, &tmp); VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Finding oxmName Value") + doxm->oxm[i++] = (OicSecOxm_t)tmp; cborFindResult = cbor_value_advance(&oxm); VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Advancing oxmName.") } @@ -421,8 +424,11 @@ static OCStackResult CBORPayloadToDoxmBin(const uint8_t *cborPayload, size_t siz cborFindResult = cbor_value_map_find_value(&doxmCbor, OIC_JSON_OXM_SEL_NAME, &doxmMap); if (CborNoError == cborFindResult && cbor_value_is_integer(&doxmMap)) { - cborFindResult = cbor_value_get_int(&doxmMap, (int *) &doxm->oxmSel); + int oxmSel; + + cborFindResult = cbor_value_get_int(&doxmMap, &oxmSel); VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Finding Sel Name Value.") + doxm->oxmSel = (OicSecOxm_t)oxmSel; } else // PUT/POST JSON may not have oxmsel so set it to the gDoxm->oxmSel { @@ -433,8 +439,11 @@ static OCStackResult CBORPayloadToDoxmBin(const uint8_t *cborPayload, size_t siz cborFindResult = cbor_value_map_find_value(&doxmCbor, OIC_JSON_SUPPORTED_CRED_TYPE_NAME, &doxmMap); if (CborNoError == cborFindResult && cbor_value_is_integer(&doxmMap)) { - cborFindResult = cbor_value_get_int(&doxmMap, (int *) &doxm->sct); + int sct; + + cborFindResult = cbor_value_get_int(&doxmMap, &sct); VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Finding Sct Name Value.") + doxm->sct = (OicSecCredType_t)sct; if (roParsed) { diff --git a/resource/csdk/security/src/dpairingresource.c b/resource/csdk/security/src/dpairingresource.c index 830090a..5f244c8 100644 --- a/resource/csdk/security/src/dpairingresource.c +++ b/resource/csdk/security/src/dpairingresource.c @@ -308,8 +308,11 @@ OCStackResult CBORPayloadToDpair(const uint8_t *cborPayload, size_t size, type = cbor_value_get_type(&dpairMap); if (0 == strcmp(OIC_JSON_SPM_NAME, name) && cbor_value_is_integer(&dpairMap)) { - cborFindResult = cbor_value_get_int(&dpairMap, (int *) &dpair->spm); + int spm; + + cborFindResult = cbor_value_get_int(&dpairMap, &spm); VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Finding SPM Value"); + dpair->spm = (OicSecPrm_t)spm; } if (0 == strcmp(OIC_JSON_PDEVICE_ID_NAME, name)) diff --git a/resource/csdk/security/src/pconfresource.c b/resource/csdk/security/src/pconfresource.c index 7321c37..84bbf48 100644 --- a/resource/csdk/security/src/pconfresource.c +++ b/resource/csdk/security/src/pconfresource.c @@ -505,8 +505,11 @@ OCStackResult CBORPayloadToPconf(const uint8_t *cborPayload, size_t size, OicSec while (cbor_value_is_valid(&prm) && cbor_value_is_integer(&prm)) { - cborFindResult = cbor_value_get_int(&prm, (int *)&pconf->prm[i++]); + int prm_val; + + cborFindResult = cbor_value_get_int(&prm, &prm_val); VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed to get value"); + pconf->prm[i++] = (OicSecPrm_t)prm_val; cborFindResult = cbor_value_advance(&prm); VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed to advance value"); } diff --git a/resource/csdk/security/src/pstatresource.c b/resource/csdk/security/src/pstatresource.c index 1846d48..a5ec8ae 100644 --- a/resource/csdk/security/src/pstatresource.c +++ b/resource/csdk/security/src/pstatresource.c @@ -314,8 +314,11 @@ static OCStackResult CBORPayloadToPstatBin(const uint8_t *cborPayload, const siz cborFindResult = cbor_value_map_find_value(&pstatCbor, OIC_JSON_CM_NAME, &pstatMap); if (CborNoError == cborFindResult && cbor_value_is_integer(&pstatMap)) { - cborFindResult = cbor_value_get_int(&pstatMap, (int *) &pstat->cm); + int cm; + + cborFindResult = cbor_value_get_int(&pstatMap, &cm); VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Finding CM."); + pstat->cm = (OicSecDpm_t)cm; } else { @@ -326,8 +329,11 @@ static OCStackResult CBORPayloadToPstatBin(const uint8_t *cborPayload, const siz cborFindResult = cbor_value_map_find_value(&pstatCbor, OIC_JSON_TM_NAME, &pstatMap); if (CborNoError == cborFindResult && cbor_value_is_integer(&pstatMap)) { - cborFindResult = cbor_value_get_int(&pstatMap, (int *) &pstat->tm); + int tm; + + cborFindResult = cbor_value_get_int(&pstatMap, &tm); VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Finding TM."); + pstat->tm = (OicSecDpm_t)tm; } else { @@ -338,8 +344,11 @@ static OCStackResult CBORPayloadToPstatBin(const uint8_t *cborPayload, const siz cborFindResult = cbor_value_map_find_value(&pstatCbor, OIC_JSON_OM_NAME, &pstatMap); if (CborNoError == cborFindResult && cbor_value_is_integer(&pstatMap)) { - cborFindResult = cbor_value_get_int(&pstatMap, (int *) &pstat->om); + int om; + + cborFindResult = cbor_value_get_int(&pstatMap, &om); VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Finding OM."); + pstat->om = (OicSecDpom_t)om; } else { @@ -350,10 +359,13 @@ static OCStackResult CBORPayloadToPstatBin(const uint8_t *cborPayload, const siz cborFindResult = cbor_value_map_find_value(&pstatCbor, OIC_JSON_SM_NAME, &pstatMap); if (CborNoError == cborFindResult && cbor_value_is_integer(&pstatMap)) { + int sm; + pstat->smLen = 1; pstat->sm = (OicSecDpom_t*)OICCalloc(pstat->smLen, sizeof(OicSecDpom_t)); - cborFindResult = cbor_value_get_int(&pstatMap, (int *) &pstat->sm[0]); + cborFindResult = cbor_value_get_int(&pstatMap, &sm); VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Finding SM."); + pstat->sm[0] = (OicSecDpom_t)sm; if (roParsed) { diff --git a/resource/csdk/security/src/svcresource.c b/resource/csdk/security/src/svcresource.c index 410d22c..180176c 100644 --- a/resource/csdk/security/src/svcresource.c +++ b/resource/csdk/security/src/svcresource.c @@ -241,8 +241,11 @@ OCStackResult CBORPayloadToSVC(const uint8_t *cborPayload, size_t size, // Service Type if (0 == strcmp(OIC_JSON_SERVICE_TYPE, name) && cbor_value_is_integer(&svcMap)) { - cborFindResult = cbor_value_get_int(&svcMap, (int *) &svc->svct); + int svct; + + cborFindResult = cbor_value_get_int(&svcMap, &svct); VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed to Find SVCT."); + svc->svct = (OicSecSvcType_t)svct; } // Owners -- Mandatory diff --git a/resource/csdk/stack/src/ocpayloadparse.c b/resource/csdk/stack/src/ocpayloadparse.c index 6121839..e27f7ba 100644 --- a/resource/csdk/stack/src/ocpayloadparse.c +++ b/resource/csdk/stack/src/ocpayloadparse.c @@ -290,6 +290,8 @@ static OCStackResult OCParseDiscoveryPayload(OCPayload **outPayload, CborValue * while (cbor_value_is_map(&resourceMap)) { + int bitmap; + resource = (OCResourcePayload *)OICCalloc(1, sizeof(OCResourcePayload)); VERIFY_PARAM_NON_NULL(TAG, resource, "Failed allocating resource payload"); @@ -322,8 +324,9 @@ static OCStackResult OCParseDiscoveryPayload(OCPayload **outPayload, CborValue * // Bitmap err = cbor_value_map_find_value(&policyMap, OC_RSRVD_BITMAP, &curVal); VERIFY_CBOR_SUCCESS(TAG, err, "to find bitmap tag"); - err = cbor_value_get_int(&curVal, (int *)&resource->bitmap); + err = cbor_value_get_int(&curVal, &bitmap); VERIFY_CBOR_SUCCESS(TAG, err, "to find bitmap value"); + resource->bitmap = (uint8_t)bitmap; // Secure Flag err = cbor_value_map_find_value(&policyMap, OC_RSRVD_SECURE, &curVal); @@ -339,8 +342,11 @@ static OCStackResult OCParseDiscoveryPayload(OCPayload **outPayload, CborValue * VERIFY_CBOR_SUCCESS(TAG, err, "to find port tag"); if (cbor_value_is_valid(&curVal)) { - err = cbor_value_get_int(&curVal, (int *)&resource->port); + int port; + + err = cbor_value_get_int(&curVal, &port); VERIFY_CBOR_SUCCESS(TAG, err, "to find port value"); + resource->port = (uint16_t)port; } #ifdef TCP_ADAPTER @@ -348,8 +354,11 @@ static OCStackResult OCParseDiscoveryPayload(OCPayload **outPayload, CborValue * err = cbor_value_map_find_value(&policyMap, OC_RSRVD_TCP_PORT, &curVal); if (cbor_value_is_valid(&curVal)) { - err = cbor_value_get_int(&curVal, (int *)&resource->tcpPort); + int tcpPort; + + err = cbor_value_get_int(&curVal, &tcpPort); VERIFY_CBOR_SUCCESS(TAG, err, "to find tcp port value"); + resource->tcpPort = (uint16_t)tcpPort; } #endif @@ -1213,6 +1222,7 @@ static OCStackResult OCParsePresencePayload(OCPayload **outPayload, CborValue *r { CborValue curVal; uint64_t temp = 0; + uint8_t trigger; // Sequence Number CborError err = cbor_value_map_find_value(rootValue, OC_RSRVD_NONCE, &curVal); @@ -1232,8 +1242,9 @@ static OCStackResult OCParsePresencePayload(OCPayload **outPayload, CborValue *r // Trigger err = cbor_value_map_find_value(rootValue, OC_RSRVD_TRIGGER, &curVal); VERIFY_CBOR_SUCCESS(TAG, err, "Failed finding trigger tag"); - err = cbor_value_get_simple_type(&curVal, (uint8_t *)&payload->trigger); + err = cbor_value_get_simple_type(&curVal, &trigger); VERIFY_CBOR_SUCCESS(TAG, err, "Failed finding trigger value"); + payload->trigger = (OCPresenceTrigger)trigger; // Resource type name err = cbor_value_map_find_value(rootValue, OC_RSRVD_RESOURCE_TYPE, &curVal);