[PATCH wayland 3/4] Add a version field to wl_resource and verify request versions before calling them

Jason Ekstrand jason at jlekstrand.net
Thu Jun 27 18:09:20 PDT 2013 

This commit provides a layer of protection for the compositor in the form
of message version checking.  Version information is provided to libwayland
as an aditional argument to wl_client_add_object and wl_client_new_object.
libwayland then uses this version information to verify that a request
exists in that protocol version before invoking it.  This way libwayland
won't accidentally invoke a request that does not exist and thereby cause
the compositor to crash.

Signed-off-by: Jason Ekstrand <jason at jlekstrand.net>
---
 src/wayland-server.c | 64 ++++++++++++++++++++++++++++++++++++++++++++--------
 src/wayland-server.h | 12 ++++++++++
 src/wayland-shm.c    | 24 ++++++++++++--------
 3 files changed, 80 insertions(+), 20 deletions(-)

diff --git a/src/wayland-server.c b/src/wayland-server.c
index 0c3fbc9..67d52bd 100644
--- a/src/wayland-server.c
+++ b/src/wayland-server.c
@@ -109,6 +109,7 @@ struct wl_resource {
 	struct wl_signal destroy_signal;
 	struct wl_client *client;
 	void *data;
+	int version;
 };
 
 static int wl_debug = 0;
@@ -210,6 +211,7 @@ wl_client_connection_data(int fd, uint32_t mask, void *data)
 	struct wl_closure *closure;
 	const struct wl_message *message;
 	uint32_t p[2];
+	uint32_t resource_flags;
 	int opcode, size;
 	int len;
 
@@ -246,6 +248,7 @@ wl_client_connection_data(int fd, uint32_t mask, void *data)
 			break;
 
 		resource = wl_map_lookup(&client->objects, p[0]);
+		resource_flags = wl_map_lookup_flags(&client->objects, p[0]);
 		if (resource == NULL) {
 			wl_resource_post_error(client->display_resource,
 					       WL_DISPLAY_ERROR_INVALID_OBJECT,
@@ -265,6 +268,19 @@ wl_client_connection_data(int fd, uint32_t mask, void *data)
 		}
 
 		message = &object->interface->methods[opcode];
+		if (!(resource_flags & WL_MAP_ENTRY_LEGACY) &&
+		    resource->version > 0 &&
+		    resource->version < wl_message_get_since(message)) {
+			wl_resource_post_error(client->display_resource,
+					       WL_DISPLAY_ERROR_INVALID_METHOD,
+					       "invalid method %d, object %s@%u",
+					       opcode,
+					       object->interface->name,
+					       object->id);
+			break;
+		}
+
+
 		closure = wl_connection_demarshal(client->connection, size,
 						  &client->objects, message);
 		len -= size;
@@ -510,6 +526,12 @@ wl_resource_get_user_data(struct wl_resource *resource)
 	return resource->data;
 }
 
+WL_EXPORT int
+wl_resource_get_version(struct wl_resource *resource)
+{
+	return resource->version;
+}
+
 WL_EXPORT void
 wl_resource_set_destructor(struct wl_resource *resource,
 			   wl_resource_destroy_func_t destroy)
@@ -603,8 +625,9 @@ display_sync(struct wl_client *client,
 	struct wl_resource *callback;
 	uint32_t serial;
 
-	callback = wl_client_add_object(client,
-					&wl_callback_interface, NULL, id, NULL);
+	callback = wl_client_add_versioned_object(client,
+						  &wl_callback_interface, 1,
+						  NULL, id, NULL);
 	serial = wl_display_get_serial(client->display);
 	wl_callback_send_done(callback, serial);
 	wl_resource_destroy(callback);
@@ -626,8 +649,9 @@ display_get_registry(struct wl_client *client,
 	struct wl_global *global;
 
 	registry_resource =
-		wl_client_add_object(client, &wl_registry_interface,
-				     &registry_interface, id, display);
+		wl_client_add_versioned_object(client, &wl_registry_interface,
+					       1, &registry_interface, id,
+					       display);
 	registry_resource->destroy = unbind_resource;
 
 	wl_list_insert(&display->registry_resource_list,
@@ -660,8 +684,8 @@ bind_display(struct wl_client *client,
 	struct wl_display *display = data;
 
 	client->display_resource =
-		wl_client_add_object(client, &wl_display_interface,
-				     &display_interface, id, display);
+		wl_client_add_versioned_object(client, &wl_display_interface, 1,
+					       &display_interface, id, display);
 
 	if(client->display_resource)
 		client->display_resource->destroy = destroy_client_display_resource;
@@ -998,8 +1022,17 @@ wl_display_get_destroy_listener(struct wl_display *display,
 WL_EXPORT struct wl_resource *
 wl_client_add_object(struct wl_client *client,
 		     const struct wl_interface *interface,
-		     const void *implementation,
-		     uint32_t id, void *data)
+		     const void *implementation, uint32_t id, void *data)
+{
+	return wl_client_add_versioned_object(client, interface, -1,
+					      implementation, id, data);
+}
+
+WL_EXPORT struct wl_resource *
+wl_client_add_versioned_object(struct wl_client *client,
+			       const struct wl_interface *interface,
+			       int version, const void *implementation,
+			       uint32_t id, void *data)
 {
 	struct wl_resource *resource;
 
@@ -1018,6 +1051,7 @@ wl_client_add_object(struct wl_client *client,
 	resource->destroy = NULL;
 	resource->client = client;
 	resource->data = data;
+	resource->version = version;
 
 	if (wl_map_insert_at(&client->objects, 0, resource->object.id, resource) < 0) {
 		wl_resource_post_error(client->display_resource,
@@ -1036,11 +1070,21 @@ wl_client_new_object(struct wl_client *client,
 		     const struct wl_interface *interface,
 		     const void *implementation, void *data)
 {
+	return wl_client_new_versioned_object(client, interface, -1,
+					      implementation, data);
+}
+
+WL_EXPORT struct wl_resource *
+wl_client_new_versioned_object(struct wl_client *client,
+			       const struct wl_interface *interface,
+			       int version, const void *implementation,
+			       void *data)
+{
 	uint32_t id;
 
 	id = wl_map_insert_new(&client->objects, 0, NULL);
-	return wl_client_add_object(client,
-				    interface, implementation, id, data);
+	return wl_client_add_versioned_object(client, interface, version,
+					      implementation, id, data);
 
 }
 
diff --git a/src/wayland-server.h b/src/wayland-server.h
index 7c53cfc..8924128 100644
--- a/src/wayland-server.h
+++ b/src/wayland-server.h
@@ -131,10 +131,20 @@ wl_client_add_object(struct wl_client *client,
 		     const struct wl_interface *interface,
 		     const void *implementation, uint32_t id, void *data);
 struct wl_resource *
+wl_client_add_versioned_object(struct wl_client *client,
+			       const struct wl_interface *interface,
+			       int version, const void *implementation,
+			       uint32_t id, void *data);
+struct wl_resource *
 wl_client_new_object(struct wl_client *client,
 		     const struct wl_interface *interface,
 		     const void *implementation, void *data);
 struct wl_resource *
+wl_client_new_versioned_object(struct wl_client *client,
+			       const struct wl_interface *interface,
+			       int version, const void *implementation,
+			       void *data);
+struct wl_resource *
 wl_client_get_object(struct wl_client *client, uint32_t id);
 
 struct wl_listener {
@@ -258,6 +268,8 @@ void
 wl_resource_set_user_data(struct wl_resource *resource, void *data);
 void *
 wl_resource_get_user_data(struct wl_resource *resource);
+int
+wl_resource_get_version(struct wl_resource *resource);
 void
 wl_resource_set_destructor(struct wl_resource *resource,
 			   wl_resource_destroy_func_t destroy);
diff --git a/src/wayland-shm.c b/src/wayland-shm.c
index 8a10253..e37b7d9 100644
--- a/src/wayland-shm.c
+++ b/src/wayland-shm.c
@@ -127,9 +127,10 @@ shm_pool_create_buffer(struct wl_client *client, struct wl_resource *resource,
 	buffer->pool = pool;
 	pool->refcount++;
 
-	buffer->resource = wl_client_add_object(client, &wl_buffer_interface,
-						&shm_buffer_interface,
-						id, buffer);
+	buffer->resource =
+		wl_client_add_versioned_object(client, &wl_buffer_interface, 1,
+					       &shm_buffer_interface,
+					       id, buffer);
 	wl_resource_set_destructor(buffer->resource, destroy_buffer);
 }
 
@@ -204,8 +205,9 @@ shm_create_pool(struct wl_client *client, struct wl_resource *resource,
 	}
 	close(fd);
 
-	pool->resource = wl_client_add_object(client, &wl_shm_pool_interface,
-					      &shm_pool_interface, id, pool);
+	pool->resource =
+		wl_client_add_versioned_object(client, &wl_shm_pool_interface, 1,
+					       &shm_pool_interface, id, pool);
 	if (!pool->resource)
 		goto err_free;
 
@@ -229,8 +231,8 @@ bind_shm(struct wl_client *client,
 {
 	struct wl_resource *resource;
 
-	resource = wl_client_add_object(client, &wl_shm_interface,
-					&shm_interface, id, data);
+	resource = wl_client_add_versioned_object(client, &wl_shm_interface, 1,
+						  &shm_interface, id, data);
 
 	wl_shm_send_format(resource, WL_SHM_FORMAT_ARGB8888);
 	wl_shm_send_format(resource, WL_SHM_FORMAT_XRGB8888);
@@ -272,9 +274,11 @@ wl_shm_buffer_create(struct wl_client *client,
 	buffer->pool = NULL;
 
 
-	buffer->resource = wl_client_add_object(client, &wl_buffer_interface,
-						&shm_buffer_interface,
-						id, buffer);
+	buffer->resource =
+		wl_client_add_versioned_object(client,
+					       &wl_buffer_interface, 1,
+					       &shm_buffer_interface,
+					       id, buffer);
 	wl_resource_set_destructor(buffer->resource, destroy_buffer);
 
 	return buffer;
-- 
1.8.2.1

More information about the wayland-devel mailing list