[PATCH 2/3] assert input buffer size for qmi_utils_write_(fixed_size)?string_to_buffer()

Aleksander Morgado aleksander at aleksander.es
Wed Oct 8 02:19:35 PDT 2014 

On Mon, Oct 6, 2014 at 3:15 PM, Thomas Haller <thaller at redhat.com> wrote:
> Signed-off-by: Thomas Haller <thaller at redhat.com>
> ---

Pushed this one as-is.

I'm also going to write a new TLV building API, which would directly
write to the QmiMessage and check for overflows better than the
current code.


>  src/libqmi-glib/qmi-utils.c | 15 +++++++++++----
>  1 file changed, 11 insertions(+), 4 deletions(-)
>
> diff --git a/src/libqmi-glib/qmi-utils.c b/src/libqmi-glib/qmi-utils.c
> index f85970d..3875a0b 100644
> --- a/src/libqmi-glib/qmi-utils.c
> +++ b/src/libqmi-glib/qmi-utils.c
> @@ -956,7 +956,7 @@ qmi_utils_write_string_to_buffer (guint8      **buffer,
>                                    guint8        length_prefix_size,
>                                    const gchar  *in)
>  {
> -    guint16 len;
> +    gsize len;
>      guint8 len_8;
>      guint16 len_16;
>
> @@ -967,20 +967,26 @@ qmi_utils_write_string_to_buffer (guint8      **buffer,
>                length_prefix_size == 8 ||
>                length_prefix_size == 16);
>
> -    len = (guint16) strlen (in);
> +    len = strlen (in);
> +
> +    g_assert (   len + (length_prefix_size/8) <= *buffer_size
> +              || (length_prefix_size==8 && ((int) G_MAXUINT8 + 1) < *buffer_size));
>
>      switch (length_prefix_size) {
>      case 0:
>          break;
>      case 8:
> -        g_warn_if_fail (len <= G_MAXUINT8);
> +        if (len > G_MAXUINT8) {
> +            g_warn_if_reached ();
> +            len = G_MAXUINT8;
> +        }
>          len_8 = (guint8)len;
>          qmi_utils_write_guint8_to_buffer (buffer,
>                                            buffer_size,
>                                            &len_8);
>          break;
>      case 16:
> -        g_warn_if_fail (len <= G_MAXUINT16);
> +        /* already asserted that @len is no larger then @buffer_size */
>          len_16 = (guint16)len;
>          qmi_utils_write_guint16_to_buffer (buffer,
>                                             buffer_size,
> @@ -1021,6 +1027,7 @@ qmi_utils_write_fixed_size_string_to_buffer (guint8      **buffer,
>      g_assert (buffer != NULL);
>      g_assert (buffer_size != NULL);
>      g_assert (fixed_size > 0);
> +    g_assert (fixed_size <= *buffer_size);
>
>      memcpy (*buffer, in, fixed_size);
>      *buffer = &((*buffer)[fixed_size]);
> --
> 1.9.3
>



-- 
Aleksander
https://aleksander.es

More information about the libqmi-devel mailing list