* [PATCH] gvariant: Exclude container's offsets from child iterator len
@ 2016-03-21 22:18 Andrew Zaborowski
2016-03-22 15:26 ` Denis Kenzior
0 siblings, 1 reply; 5+ messages in thread
From: Andrew Zaborowski @ 2016-03-21 22:18 UTC (permalink / raw)
To: ell
[-- Attachment #1: Type: text/plain, Size: 741 bytes --]
---
ell/gvariant-util.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/ell/gvariant-util.c b/ell/gvariant-util.c
index 79ebf32..38efc0d 100644
--- a/ell/gvariant-util.c
+++ b/ell/gvariant-util.c
@@ -529,7 +529,15 @@ static const void *next_item(struct l_dbus_message_iter *iter,
}
if (iter->container_type != DBUS_CONTAINER_TYPE_ARRAY && last_member) {
- *out_item_size = iter->len - iter->pos;
+ unsigned int len = iter->len;
+
+ offset_len = offset_length(iter->len, 0);
+
+ if (iter->offsets && iter->offsets + offset_len <
+ iter->data + len)
+ len = iter->offsets + offset_len - iter->data;
+
+ *out_item_size = len - iter->pos;
goto done;
}
--
2.5.0
^ permalink raw reply related [flat|nested] 5+ messages in thread* [PATCH] dbus: More complete buffer size check in dbus_message_from_blob
@ 2016-03-19 6:00 Andrew Zaborowski
2016-03-19 6:00 ` [PATCH] gvariant: Exclude container's offsets from child iterator len Andrew Zaborowski
0 siblings, 1 reply; 5+ messages in thread
From: Andrew Zaborowski @ 2016-03-19 6:00 UTC (permalink / raw)
To: ell
[-- Attachment #1: Type: text/plain, Size: 798 bytes --]
---
ell/dbus-message.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/ell/dbus-message.c b/ell/dbus-message.c
index 84d42d4..f9e13e2 100644
--- a/ell/dbus-message.c
+++ b/ell/dbus-message.c
@@ -643,9 +643,14 @@ struct l_dbus_message *dbus_message_from_blob(const void *data, size_t size)
message->header_size = align_len(DBUS_HEADER_SIZE +
hdr->field_length, 8);
- message->header = l_malloc(message->header_size);
-
message->body_size = hdr->body_length;
+
+ if (message->header_size + message->body_size < size) {
+ l_free(message);
+ return NULL;
+ }
+
+ message->header = l_malloc(message->header_size);
message->body = l_malloc(message->body_size);
memcpy(message->header, data, message->header_size);
--
2.5.0
^ permalink raw reply related [flat|nested] 5+ messages in thread* [PATCH] gvariant: Exclude container's offsets from child iterator len.
2016-03-19 6:00 [PATCH] dbus: More complete buffer size check in dbus_message_from_blob Andrew Zaborowski
@ 2016-03-19 6:00 ` Andrew Zaborowski
2016-03-21 17:57 ` Denis Kenzior
0 siblings, 1 reply; 5+ messages in thread
From: Andrew Zaborowski @ 2016-03-19 6:00 UTC (permalink / raw)
To: ell
[-- Attachment #1: Type: text/plain, Size: 1004 bytes --]
---
ell/gvariant-util.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/ell/gvariant-util.c b/ell/gvariant-util.c
index 1aaddc3..61e5b52 100644
--- a/ell/gvariant-util.c
+++ b/ell/gvariant-util.c
@@ -497,6 +497,7 @@ static const void *next_item(struct l_dbus_message_iter *iter,
bool last_member;
unsigned int sig_len;
unsigned int offset_len;
+ unsigned int len = iter->len;
memcpy(sig, iter->sig_start + iter->sig_pos,
iter->sig_len - iter->sig_pos);
@@ -529,7 +530,14 @@ static const void *next_item(struct l_dbus_message_iter *iter,
}
if (iter->container_type != DBUS_CONTAINER_TYPE_ARRAY && last_member) {
- *out_item_size = iter->len - iter->pos;
+ offset_len = offset_length(iter->len, 0);
+ len = iter->len;
+
+ if (iter->offsets && iter->offsets + offset_len <
+ iter->data + len)
+ len = iter->offsets + offset_len - iter->data;
+
+ *out_item_size = len - iter->pos;
goto done;
}
--
2.5.0
^ permalink raw reply related [flat|nested] 5+ messages in thread* Re: [PATCH] gvariant: Exclude container's offsets from child iterator len.
2016-03-19 6:00 ` [PATCH] gvariant: Exclude container's offsets from child iterator len Andrew Zaborowski
@ 2016-03-21 17:57 ` Denis Kenzior
2016-03-21 22:09 ` Andrzej Zaborowski
0 siblings, 1 reply; 5+ messages in thread
From: Denis Kenzior @ 2016-03-21 17:57 UTC (permalink / raw)
To: ell
[-- Attachment #1: Type: text/plain, Size: 1368 bytes --]
Hi Andrew,
On 03/19/2016 01:00 AM, Andrew Zaborowski wrote:
> ---
> ell/gvariant-util.c | 10 +++++++++-
> 1 file changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/ell/gvariant-util.c b/ell/gvariant-util.c
> index 1aaddc3..61e5b52 100644
> --- a/ell/gvariant-util.c
> +++ b/ell/gvariant-util.c
> @@ -497,6 +497,7 @@ static const void *next_item(struct l_dbus_message_iter *iter,
> bool last_member;
> unsigned int sig_len;
> unsigned int offset_len;
> + unsigned int len = iter->len;
Looks like this belongs in the if block below.
>
> memcpy(sig, iter->sig_start + iter->sig_pos,
> iter->sig_len - iter->sig_pos);
> @@ -529,7 +530,14 @@ static const void *next_item(struct l_dbus_message_iter *iter,
> }
>
> if (iter->container_type != DBUS_CONTAINER_TYPE_ARRAY && last_member) {
> - *out_item_size = iter->len - iter->pos;
> + offset_len = offset_length(iter->len, 0);
> + len = iter->len;
> +
> + if (iter->offsets && iter->offsets + offset_len <
> + iter->data + len)
> + len = iter->offsets + offset_len - iter->data;
> +
> + *out_item_size = len - iter->pos;
This looks fine to me. I'm guessing the location of the child
iterator's offsets was being messed up? Hence variable length field
sizes were incorrect. Right?
> goto done;
> }
>
>
Regards,
-Denis
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH] gvariant: Exclude container's offsets from child iterator len.
2016-03-21 17:57 ` Denis Kenzior
@ 2016-03-21 22:09 ` Andrzej Zaborowski
0 siblings, 0 replies; 5+ messages in thread
From: Andrzej Zaborowski @ 2016-03-21 22:09 UTC (permalink / raw)
To: ell
[-- Attachment #1: Type: text/plain, Size: 1789 bytes --]
Hi Denis,
On 21 March 2016 at 18:57, Denis Kenzior <denkenz@gmail.com> wrote:
> Hi Andrew,
>
> On 03/19/2016 01:00 AM, Andrew Zaborowski wrote:
>>
>> ---
>> ell/gvariant-util.c | 10 +++++++++-
>> 1 file changed, 9 insertions(+), 1 deletion(-)
>>
>> diff --git a/ell/gvariant-util.c b/ell/gvariant-util.c
>> index 1aaddc3..61e5b52 100644
>> --- a/ell/gvariant-util.c
>> +++ b/ell/gvariant-util.c
>> @@ -497,6 +497,7 @@ static const void *next_item(struct
>> l_dbus_message_iter *iter,
>> bool last_member;
>> unsigned int sig_len;
>> unsigned int offset_len;
>> + unsigned int len = iter->len;
>
>
> Looks like this belongs in the if block below.
True, it's also redundant.
>
>>
>> memcpy(sig, iter->sig_start + iter->sig_pos,
>> iter->sig_len - iter->sig_pos);
>> @@ -529,7 +530,14 @@ static const void *next_item(struct
>> l_dbus_message_iter *iter,
>> }
>>
>> if (iter->container_type != DBUS_CONTAINER_TYPE_ARRAY &&
>> last_member) {
>> - *out_item_size = iter->len - iter->pos;
>> + offset_len = offset_length(iter->len, 0);
>> + len = iter->len;
>> +
>> + if (iter->offsets && iter->offsets + offset_len <
>> + iter->data + len)
>> + len = iter->offsets + offset_len - iter->data;
>> +
>> + *out_item_size = len - iter->pos;
>
>
> This looks fine to me. I'm guessing the location of the child iterator's
> offsets was being messed up? Hence variable length field sizes were
> incorrect. Right?
I think that is what was happening, in the end it would read some
child value from a completely wrong place.
Best regards
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2016-03-22 15:26 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-03-21 22:18 [PATCH] gvariant: Exclude container's offsets from child iterator len Andrew Zaborowski
2016-03-22 15:26 ` Denis Kenzior
-- strict thread matches above, loose matches on Subject: below --
2016-03-19 6:00 [PATCH] dbus: More complete buffer size check in dbus_message_from_blob Andrew Zaborowski
2016-03-19 6:00 ` [PATCH] gvariant: Exclude container's offsets from child iterator len Andrew Zaborowski
2016-03-21 17:57 ` Denis Kenzior
2016-03-21 22:09 ` Andrzej Zaborowski
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.