From accc6e6e360a46b4868159427af60996ac19c6e1 Mon Sep 17 00:00:00 2001
From: Junghoon Park <jh9216.park@samsung.com>
Date: Fri, 10 Jun 2016 14:19:42 +0900
Subject: [PATCH] Add validation checker for receiving packets

Change-Id: Ibaa4bb2a26b1e51b075da10d08e61ddc33988ea2
Signed-off-by: Junghoon Park <jh9216.park@samsung.com>
---
 src/aul_sock.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/aul_sock.c b/src/aul_sock.c
index d250f3a..91a87a0 100644
--- a/src/aul_sock.c
+++ b/src/aul_sock.c
@@ -32,6 +32,7 @@
 #include "aul_util.h"
 
 #define MAX_NR_OF_DESCRIPTORS 2
+#define MAX_PAYLOAD_SIZE	(1024 * 1024 * 1)
 
 #ifdef TIZEN_FEATURE_DEFAULT_USER
 #define REGULAR_UID_MIN 5000
@@ -429,6 +430,11 @@ API app_pkt_t *aul_sock_recv_pkt(int fd, int *clifd, struct ucred *cr)
 	memcpy(&datalen, buf + sizeof(int), sizeof(int));
 	memcpy(&opt, buf + sizeof(int) + sizeof(int), sizeof(int));
 
+	if (datalen <= 0 || datalen > MAX_PAYLOAD_SIZE) {
+		close(*clifd);
+		return NULL;
+	}
+
 	/* allocate for a null byte */
 	pkt = (app_pkt_t *)calloc(1, AUL_PKT_HEADER_SIZE + datalen + 1);
 	if (pkt == NULL) {
@@ -487,6 +493,12 @@ retry_recv:
 	memcpy(&len, buf + sizeof(int), sizeof(int));
 	memcpy(&recv_opt, buf + sizeof(int) + sizeof(int), sizeof(int));
 
+	if (len <= 0 || len > MAX_PAYLOAD_SIZE) {
+		close(fd);
+		*ret_pkt = NULL;
+		return -ECOMM;
+	}
+
 	/* allocate for a null byte */
 	pkt = (app_pkt_t *)calloc(1, AUL_PKT_HEADER_SIZE + len + 1);
 	if (pkt == NULL) {
-- 
2.7.4