[PATCH 1/3] tests: Demarshalling of very long array/string lengths.

Michal Srb msrb at suse.com
Tue Aug 14 11:07:51 UTC 2018


Attempting to demarshal message with array or string longer than its
body should return failure. Handling the length correctly is tricky when
it gets to near-UINT32_MAX values. Unexpected overflows can cause
crashes and other security issues.

These tests verify that demarshalling such message gives failure instead
of crash.
---
 tests/connection-test.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)

diff --git a/tests/connection-test.c b/tests/connection-test.c
index 157e1bc..09b0f00 100644
--- a/tests/connection-test.c
+++ b/tests/connection-test.c
@@ -533,6 +533,52 @@ TEST(connection_marshal_demarshal)
 	release_marshal_data(&data);
 }
 
+static void
+expected_fail_demarshal(struct marshal_data *data, const char *format, uint32_t *msg, int expected_error)
+{
+	struct wl_message message = { "test", format, NULL };
+	struct wl_closure *closure;
+	struct wl_map objects;
+	int size = msg[1];
+
+	assert(write(data->s[1], msg, size) == size);
+	assert(wl_connection_read(data->read_connection) == size);
+
+	wl_map_init(&objects, WL_MAP_SERVER_SIDE);
+	closure = wl_connection_demarshal(data->read_connection,
+					    size, &objects, &message);
+
+	assert(closure == NULL);
+	assert(errno == expected_error);
+}
+
+TEST(connection_demarshal_failures)
+{
+	struct marshal_data data;
+	uint32_t msg[10];
+
+	setup_marshal_data(&data);
+
+	// These need careful handling on 32bit systems.
+	uint32_t overflowing_values[] = {
+		0xffffffff, 0xfffffffe, 0xfffffffd, 0xfffffffc,
+		0xfffff000, 0xffffd000, 0xffffc000, 0xffffb000
+	};
+	for (unsigned int i = 0; i < ARRAY_LENGTH(overflowing_values); i++) {
+		msg[0] = 400200;
+		msg[1] = 24;
+		msg[2] = overflowing_values[i];
+		expected_fail_demarshal(&data, "s", msg, EINVAL);
+
+		msg[0] = 400200;
+		msg[1] = 24;
+		msg[2] = overflowing_values[i];
+		expected_fail_demarshal(&data, "a", msg, EINVAL);
+	}
+
+	release_marshal_data(&data);
+}
+
 TEST(connection_marshal_alot)
 {
 	struct marshal_data data;
-- 
2.16.4



More information about the wayland-devel mailing list