From 1796268e3cb80562a5a75e8c50f1486998e2c251 Mon Sep 17 00:00:00 2001
From: Suchang Woo <suchang.woo@samsung.com>
Date: Mon, 12 Oct 2015 20:52:24 +0900
Subject: [PATCH] common: fix 'TAINTED_SCALAR' issue

The message length from received packet should be checked.

Change-Id: I27127409080e2a4244c96f6fb2b4d1f641911d11
Signed-off-by: Suchang Woo <suchang.woo@samsung.com>
---
 common/proto.c | 20 +++++++++++++++++++-
 common/proto.h | 13 +++++++++++++
 2 files changed, 32 insertions(+), 1 deletion(-)

diff --git a/common/proto.c b/common/proto.c
index 50d76bc..8891092 100644
--- a/common/proto.c
+++ b/common/proto.c
@@ -294,6 +294,15 @@ int proto_recv_async(int fd, recv_callback callback, void *user_data)
 	if (hdr.type == MSG_SINGLE)
 		return proto_recv_single(fd, callback, user_data);
 
+	if (hdr.total >= MSG_TOTAL_MAX) {
+		bxt_err("recv: fd %d message total %d >= %d, message ignored",
+				fd, hdr.total, MSG_TOTAL_MAX);
+		flush_data(fd, sizeof(hdr) + hdr.len);
+		pthread_mutex_unlock(&recv_lock);
+		errno = EMSGSIZE;
+		return -1;
+	}
+
 	return proto_recv_frag(fd, &hdr, callback, user_data);
 }
 
@@ -453,11 +462,20 @@ int proto_recv(int fd, enum message_type *type, uint8_t **data, int32_t *len)
 		return -1;
 	}
 
-	if (r != sizeof(hdr) || hdr.len == 0 || hdr.type != MSG_SINGLE) {
+	if (r != sizeof(hdr) || hdr.len == 0 || hdr.type != MSG_SINGLE
+			|| hdr.total != hdr.len) {
 		bxt_err("recv: fd %d Invalid message", fd);
 		return -1;
 	}
 
+	if (hdr.total >= MSG_SINGLE_MAX) {
+		bxt_err("recv: fd %d message size %d >= %d",
+				fd, hdr.total, MSG_SINGLE_MAX);
+		flush_data(fd, hdr.total);
+		errno = EMSGSIZE;
+		return -1;
+	}
+
 	_data = malloc(hdr.total);
 	if (!_data) {
 		flush_data(fd, hdr.total);
diff --git a/common/proto.h b/common/proto.h
index 4074e2b..8b72701 100644
--- a/common/proto.h
+++ b/common/proto.h
@@ -30,6 +30,19 @@
 #define MSG_MTU    4096
 
 /*
+ * Single type message
+ *   = key (<4KB) + value (<4KB) + privileges (<2KB) + etc (<6KB)
+ */
+#define MSG_SINGLE_MAX (1 << 14) /* 16KB */
+
+/*
+ * The length of MSG_LIST is the length of key name * number of keys.
+ * Usually, an average length of key name is about 35B.
+ * A 32MB message can send about 0.9M names of keys.
+ */
+#define MSG_TOTAL_MAX (1 << 25) /* 32 MB */
+
+/*
  * Message header (12 bytes) :
  *
  *  +-----------+-----------+-----------+-----------+
-- 
2.7.4