[PATCH 1/3] tests: Demarshalling of very long array/string lengths.
Michal Srb
msrb at suse.com
Tue Aug 14 11:07:51 UTC 2018
Attempting to demarshal message with array or string longer than its
body should return failure. Handling the length correctly is tricky when
it gets to near-UINT32_MAX values. Unexpected overflows can cause
crashes and other security issues.
These tests verify that demarshalling such message gives failure instead
of crash.
---
tests/connection-test.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 46 insertions(+)
diff --git a/tests/connection-test.c b/tests/connection-test.c
index 157e1bc..09b0f00 100644
--- a/tests/connection-test.c
+++ b/tests/connection-test.c
@@ -533,6 +533,52 @@ TEST(connection_marshal_demarshal)
release_marshal_data(&data);
}
+static void
+expected_fail_demarshal(struct marshal_data *data, const char *format, uint32_t *msg, int expected_error)
+{
+ struct wl_message message = { "test", format, NULL };
+ struct wl_closure *closure;
+ struct wl_map objects;
+ int size = msg[1];
+
+ assert(write(data->s[1], msg, size) == size);
+ assert(wl_connection_read(data->read_connection) == size);
+
+ wl_map_init(&objects, WL_MAP_SERVER_SIDE);
+ closure = wl_connection_demarshal(data->read_connection,
+ size, &objects, &message);
+
+ assert(closure == NULL);
+ assert(errno == expected_error);
+}
+
+TEST(connection_demarshal_failures)
+{
+ struct marshal_data data;
+ uint32_t msg[10];
+
+ setup_marshal_data(&data);
+
+ // These need careful handling on 32bit systems.
+ uint32_t overflowing_values[] = {
+ 0xffffffff, 0xfffffffe, 0xfffffffd, 0xfffffffc,
+ 0xfffff000, 0xffffd000, 0xffffc000, 0xffffb000
+ };
+ for (unsigned int i = 0; i < ARRAY_LENGTH(overflowing_values); i++) {
+ msg[0] = 400200;
+ msg[1] = 24;
+ msg[2] = overflowing_values[i];
+ expected_fail_demarshal(&data, "s", msg, EINVAL);
+
+ msg[0] = 400200;
+ msg[1] = 24;
+ msg[2] = overflowing_values[i];
+ expected_fail_demarshal(&data, "a", msg, EINVAL);
+ }
+
+ release_marshal_data(&data);
+}
+
TEST(connection_marshal_alot)
{
struct marshal_data data;
--
2.16.4
More information about the wayland-devel
mailing list