[IOT-2172] Length check before memcpy added

Change-Id: I539a8f21fd149b7d468d96b52e7bcadc964f6931
Signed-off-by: ol.beketov <ol.beketov@samsung.com>
Reviewed-on: https://gerrit.iotivity.org/gerrit/19785
Reviewed-by: Kevin Kane <kkane@microsoft.com>
Tested-by: jenkins-iotivity <jenkins@iotivity.org>
Reviewed-by: Dmitriy Zhuravlev <d.zhuravlev@samsung.com>
Reviewed-by: Andrii Shtompel <a.shtompel@samsung.com>
Reviewed-by: dongik Lee <dongik.lee@samsung.com>
Reviewed-by: Randeep Singh <randeep.s@samsung.com>

diff --git a/resource/csdk/security/src/aclresource.c b/resource/csdk/security/src/aclresource.c
index 6300d0b..ec5db78 100644 (file)
--- a/resource/csdk/security/src/aclresource.c
+++ b/resource/csdk/security/src/aclresource.c
@@ -2153,6 +2153,12 @@ static bool GetSubjectFromQueryString(const char *query, OicUuid_t *subject)
         {
             char strUuid[STRING_UUID_SIZE] = {0};
             VERIFY_SUCCESS(TAG, 0 != parseIter.valLen, ERROR);
+            if (sizeof(strUuid) < parseIter.valLen)
+            {
+                OIC_LOG(ERROR, TAG, "Uuid is too long");
+                goto exit;
+            }
+
             memcpy(strUuid, parseIter.valPos, parseIter.valLen);
             OCStackResult res = ConvertStrToUuid(strUuid, subject);
             VERIFY_SUCCESS(TAG, OC_STACK_OK == res, ERROR);

diff --git a/resource/csdk/security/src/credresource.c b/resource/csdk/security/src/credresource.c
index 6b61d66..5589430 100644 (file)
--- a/resource/csdk/security/src/credresource.c
+++ b/resource/csdk/security/src/credresource.c
@@ -2788,8 +2788,13 @@ int32_t GetDtlsPskCredentials(CADtlsPskCredType_t type,
                         {
                             if (ValueWithinBounds(cred->privateData.len, INT32_MAX))
                             {
-                                ret = (int32_t)cred->privateData.len;
-                                memcpy(result, cred->privateData.data, ret);
+                                size_t len = cred->privateData.len;
+                                if (result_length < len)
+                                {
+                                    OIC_LOG (ERROR, TAG, "Wrong value for result_length");
+                                    return ret;
+                                }
+                                memcpy(result, cred->privateData.data, len);
                             }
                         }
                         else if(OIC_ENCODING_BASE64 == cred->privateData.encoding)
@@ -2807,6 +2812,11 @@ int32_t GetDtlsPskCredentials(CADtlsPskCredType_t type,
                             {
                                 if (ValueWithinBounds(outKeySize, INT32_MAX))
                                 {
+                                    if (result_length < outKeySize)
+                                    {
+                                        OIC_LOG (ERROR, TAG, "Wrong value for result_length");
+                                        return ret;
+                                    }
                                     memcpy(result, outKey, outKeySize);
                                     ret = (int32_t)outKeySize;
                                 }

diff --git a/resource/csdk/security/src/doxmresource.c b/resource/csdk/security/src/doxmresource.c
index edbd45d..c1cbf02 100644 (file)
--- a/resource/csdk/security/src/doxmresource.c
+++ b/resource/csdk/security/src/doxmresource.c
@@ -952,6 +952,11 @@ static bool ValidateQuery(const char * query)
             bDeviceIDQry = true;
             OicUuid_t subject = {.id={0}};
 
+            if (sizeof(subject.id) < parseIter.valLen)
+            {
+                OIC_LOG (ERROR, TAG, "Subject ID length is too long");
+                return false;
+            }
             memcpy(subject.id, parseIter.valPos, parseIter.valLen);
             if (0 == memcmp(&gDoxm->deviceID.id, &subject.id, sizeof(gDoxm->deviceID.id)))
             {
@@ -1110,6 +1115,11 @@ void MultipleOwnerDTLSHandshakeCB(const CAEndpoint_t *object,
                 if(subOwnerInst)
                 {
                     char* strUuid = NULL;
+                    if (sizeof(subOwnerInst->uuid.id) < authenticationSubOwnerInfo.identity.id)
+                    {
+                        OIC_LOG(ERROR, TAG, "Identity id is too long");
+                        return;
+                    }
                     memcpy(subOwnerInst->uuid.id, authenticationSubOwnerInfo.identity.id,
                            authenticationSubOwnerInfo.identity.id_length);
                     if(OC_STACK_OK != ConvertUuidToStr(&subOwnerInst->uuid, &strUuid))

diff --git a/resource/csdk/security/src/oxmpincommon.c b/resource/csdk/security/src/oxmpincommon.c
index 931a175..285dc31 100644 (file)
--- a/resource/csdk/security/src/oxmpincommon.c
+++ b/resource/csdk/security/src/oxmpincommon.c
@@ -635,6 +635,12 @@ int32_t GetDtlsPskForPreconfPinOxm( CADtlsPskCredType_t type,
                             return ret;
                         }
 
+                        if (g_PinOxmData.pinSize < pinLength)
+                        {
+                            OIC_LOG (ERROR, TAG, "PIN length too long");
+                            OICFree(pinBuffer);
+                            return ret;
+                        }
                         memcpy(g_PinOxmData.pinData, pinBuffer, pinLength);
                         OICFree(pinBuffer);
                     }
@@ -735,6 +741,12 @@ int32_t GetDtlsPskForMotPreconfPinOxm( CADtlsPskCredType_t type,
                             return ret;
                         }
 
+                        if (g_PinOxmData.pinSize < pinLength)
+                        {
+                            OIC_LOG (ERROR, TAG, "PIN length is too long");
+                            OICFree(pinBuffer);
+                            return ret;
+                        }
                         memcpy(g_PinOxmData.pinData, pinBuffer, pinLength);
                         OICFree(pinBuffer);
                     }

diff --git a/resource/csdk/security/src/pconfresource.c b/resource/csdk/security/src/pconfresource.c
index 68f11ba..672bd2c 100644 (file)
--- a/resource/csdk/security/src/pconfresource.c
+++ b/resource/csdk/security/src/pconfresource.c
@@ -520,6 +520,11 @@ OCStackResult CBORPayloadToPconf(const uint8_t *cborPayload, size_t size, OicSec
                 uint8_t *pin = NULL;
                 cborFindResult = cbor_value_dup_byte_string(&pconfMap, &pin, &len, NULL);
                 VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed to get value");
+                if (sizeof(pconf->pin.val) < len)
+                {
+                    OIC_LOG (ERROR, TAG, "PIN length is too long");
+                    goto exit;
+                }
                 memcpy(pconf->pin.val, pin, len);
                 OICFree(pin);
             }

diff --git a/resource/csdk/security/src/verresource.c b/resource/csdk/security/src/verresource.c
index 3350da5..bfc4c9b 100644 (file)
--- a/resource/csdk/security/src/verresource.c
+++ b/resource/csdk/security/src/verresource.c
@@ -190,6 +190,13 @@ OCStackResult CBORPayloadToVer(const uint8_t *cborPayload, size_t size,
         char *version = NULL;
         cborFindResult = cbor_value_dup_text_string(&verMap, &version, &len, NULL);
         VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Finding Security Version Value.");
+        if (sizeof(ver->secv) < len)
+        {
+            OIC_LOG (ERROR, TAG, "Version length is too long");
+            OICFree(version);
+            OICFree(ver);
+            goto exit;
+        }
         memcpy(ver->secv, version, len);
         OICFree(version);
     }