From f24ea59762fea99959b2720ede9c447c045be23e Mon Sep 17 00:00:00 2001 From: Vyacheslav Cherkashin Date: Wed, 3 Jul 2013 13:14:15 +0400 Subject: [PATCH] [IMPROVE] check on incorrect data --- parser/msg_buf.c | 5 +++++ parser/msg_buf.h | 1 + parser/msg_parser.c | 14 +++++++++++++- parser/msg_parser.h | 24 ++++++++++++++++++++++++ 4 files changed, 43 insertions(+), 1 deletion(-) diff --git a/parser/msg_buf.c b/parser/msg_buf.c index 25be215..82a93cf 100644 --- a/parser/msg_buf.c +++ b/parser/msg_buf.c @@ -37,6 +37,11 @@ int cmp_mb(struct msg_buf *mb, size_t size) return 0; } +size_t remained_mb(struct msg_buf *mb) +{ + return mb->end - mb->ptr; +} + int get_u32(struct msg_buf *mb, u32 *val) { if (cmp_mb(mb, sizeof(*val)) < 0) diff --git a/parser/msg_buf.h b/parser/msg_buf.h index 79292f6..77136f8 100644 --- a/parser/msg_buf.h +++ b/parser/msg_buf.h @@ -13,6 +13,7 @@ int init_mb(struct msg_buf *mb, size_t size); void uninit_mb(struct msg_buf *mb); int cmp_mb(struct msg_buf *mb, size_t size); +size_t remained_mb(struct msg_buf *mb); int get_u32(struct msg_buf *mb, u32 *val); int get_u64(struct msg_buf *mb, u64 *val); diff --git a/parser/msg_parser.c b/parser/msg_parser.c index 991fb8c..c32d8fe 100644 --- a/parser/msg_parser.c +++ b/parser/msg_parser.c @@ -206,6 +206,9 @@ struct lib_inst_data *create_lib_inst_data(struct msg_buf *mb) if (get_u32(mb, &cnt)) return NULL; + if (remained_mb(mb) / MIN_SIZE_FUNC_INST < cnt) + return NULL; + li = kmalloc(sizeof(*li), GFP_KERNEL); if (li) goto free_path; @@ -278,6 +281,9 @@ struct app_inst_data *create_app_inst_data(struct msg_buf *mb) if (get_u32(mb, &cnt_func)) goto free_app_info; + if (remained_mb(mb) / MIN_SIZE_FUNC_INST < cnt_func) + goto free_app_info; + app_inst = kmalloc(sizeof(*app_inst), GFP_KERNEL); if (app_inst == NULL) goto free_app_info; @@ -298,6 +304,9 @@ struct app_inst_data *create_app_inst_data(struct msg_buf *mb) if (get_u32(mb, &cnt_lib)) goto free_func; + if (remained_mb(mb) / MIN_SIZE_LIB_INST < cnt_lib) + goto free_func; + app_inst->lib = kmalloc(sizeof(struct lib_inst_data *) * cnt_lib, GFP_KERNEL); if (app_inst->lib == NULL) @@ -368,7 +377,10 @@ struct us_inst_data *create_us_inst_data(struct msg_buf *mb) if (get_u32(mb, &cnt)) return NULL; - ui = kmalloc(sizeof(struct us_inst_data) * cnt, GFP_KERNEL); + if (remained_mb(mb) / MIN_SIZE_APP_INST < cnt) + return NULL; + + ui = kmalloc(sizeof(struct us_inst_data), GFP_KERNEL); if (ui == NULL) return NULL; diff --git a/parser/msg_parser.h b/parser/msg_parser.h index 2de6fdd..5b69095 100644 --- a/parser/msg_parser.h +++ b/parser/msg_parser.h @@ -11,6 +11,10 @@ enum APP_TYPE { AT_COMMON_EXEC = 0x03 }; +enum { + SIZE_APP_TYPE = 4 +}; + /* Basic application information */ struct app_info_data { enum APP_TYPE app_type; @@ -72,4 +76,24 @@ void destroy_app_inst_data(struct app_inst_data *app_inst); struct us_inst_data *create_us_inst_data(struct msg_buf *mb); void destroy_us_inst_data(struct us_inst_data *us_inst); + +/* empty functions for calculating size fields in structures */ +struct func_inst_data make_func_inst_data(void); +struct lib_inst_data make_lib_inst_data(void); +struct app_inst_data make_app_inst_data(void); +struct us_inst_data make_us_inst_data(void); + +enum { + MIN_SIZE_STRING = 1, + MIN_SIZE_FUNC_INST = sizeof(make_func_inst_data().addr) + + MIN_SIZE_STRING, + MIN_SIZE_LIB_INST = MIN_SIZE_STRING + + sizeof(make_lib_inst_data().cnt_func), + MIN_SIZE_APP_INFO = SIZE_APP_TYPE + MIN_SIZE_STRING + MIN_SIZE_STRING, + MIN_SIZE_APP_INST = MIN_SIZE_APP_INFO + + sizeof(make_app_inst_data().cnt_func) + + sizeof(make_app_inst_data().cnt_lib), + MIN_SIZE_US_INST = sizeof(make_us_inst_data().cnt) +}; + #endif /* _MSG_PARSER_H */ -- 2.7.4