diff options
author | Aleksander Morgado <aleksander@aleksander.es> | 2019-11-26 16:52:58 +0100 |
---|---|---|
committer | Aleksander Morgado <aleksander@aleksander.es> | 2019-11-26 23:01:19 +0100 |
commit | 093b0bf07eb85d989c6db855bcb63ef36ab372b9 (patch) | |
tree | 72e993b3cf0f27d1b75247abe5065b7b068b30b1 | |
parent | 3e33a1e839254940ff17b4b38923dca21f857a6a (diff) | |
download | libmbim-093b0bf07eb85d989c6db855bcb63ef36ab372b9.tar.gz |
libmbim-glib,message: reading guint32 array may fail
-rw-r--r-- | build-aux/mbim-codegen/Struct.py | 4 | ||||
-rw-r--r-- | src/libmbim-glib/mbim-message-private.h | 8 | ||||
-rw-r--r-- | src/libmbim-glib/mbim-message.c | 49 | ||||
-rw-r--r-- | src/libmbim-glib/mbim-proxy-helpers.c | 4 |
4 files changed, 41 insertions, 24 deletions
diff --git a/build-aux/mbim-codegen/Struct.py b/build-aux/mbim-codegen/Struct.py index e2f16b9..6dd2dbc 100644 --- a/build-aux/mbim-codegen/Struct.py +++ b/build-aux/mbim-codegen/Struct.py @@ -501,10 +501,12 @@ class Struct: ' goto out;\n' ' offset += 4;\n') elif field['format'] == 'guint32-array': + count_early_outs += 1 translations['array_size_field_name_underscore'] = utils.build_underscore_name_from_camelcase(field['array-size-field']) inner_template += ( '\n' - ' out->${field_name_underscore} = _mbim_message_read_guint32_array (self, out->${array_size_field_name_underscore}, offset);\n' + ' if (!_mbim_message_read_guint32_array (self, out->${array_size_field_name_underscore}, offset, &out->${field_name_underscore}, error))\n' + ' goto out;\n' ' offset += (4 * out->${array_size_field_name_underscore});\n') elif field['format'] == 'guint64': inner_template += ( diff --git a/src/libmbim-glib/mbim-message-private.h b/src/libmbim-glib/mbim-message-private.h index 55faa78..97fce0f 100644 --- a/src/libmbim-glib/mbim-message-private.h +++ b/src/libmbim-glib/mbim-message-private.h @@ -273,10 +273,12 @@ gboolean _mbim_message_read_guint32 (const MbimMessage *self, guint32 relative_offset, guint32 *value, GError **error); +gboolean _mbim_message_read_guint32_array (const MbimMessage *self, + guint32 array_size, + guint32 relative_offset_array_start, + guint32 **array, + GError **error); -guint32 *_mbim_message_read_guint32_array (const MbimMessage *self, - guint32 array_size, - guint32 relative_offset_array_start); guint64 _mbim_message_read_guint64 (const MbimMessage *self, guint64 relative_offset); gchar *_mbim_message_read_string (const MbimMessage *self, diff --git a/src/libmbim-glib/mbim-message.c b/src/libmbim-glib/mbim-message.c index 3872f17..113f383 100644 --- a/src/libmbim-glib/mbim-message.c +++ b/src/libmbim-glib/mbim-message.c @@ -199,32 +199,45 @@ _mbim_message_read_guint32 (const MbimMessage *self, return TRUE; } -guint32 * -_mbim_message_read_guint32_array (const MbimMessage *self, - guint32 array_size, - guint32 relative_offset_array_start) +gboolean +_mbim_message_read_guint32_array (const MbimMessage *self, + guint32 array_size, + guint32 relative_offset_array_start, + guint32 **array, + GError **error) { - guint i; - guint32 *out; + guint32 required_size; + guint i; guint32 information_buffer_offset; - if (!array_size) - return NULL; + g_assert (array != NULL); + + if (!array_size) { + *array = NULL; + return TRUE; + } information_buffer_offset = _mbim_message_get_information_buffer_offset (self); - out = g_new (guint32, array_size + 1); - for (i = 0; i < array_size; i++) { - out[i] = GUINT32_FROM_LE (G_STRUCT_MEMBER ( - guint32, - self->data, - (information_buffer_offset + - relative_offset_array_start + - (4 * i)))); + required_size = information_buffer_offset + relative_offset_array_start + (4 * array_size); + if (self->len < required_size) { + g_set_error (error, MBIM_CORE_ERROR, MBIM_CORE_ERROR_INVALID_MESSAGE, + "cannot read 32bit unsigned integer array (%u bytes) (%u < %u)", + (4 * array_size), self->len, required_size); + return FALSE; } - out[array_size] = 0; - return out; + *array = g_new (guint32, array_size + 1); + for (i = 0; i < array_size; i++) { + (*array)[i] = GUINT32_FROM_LE (G_STRUCT_MEMBER ( + guint32, + self->data, + (information_buffer_offset + + relative_offset_array_start + + (4 * i)))); + } + (*array)[array_size] = 0; + return TRUE; } guint64 diff --git a/src/libmbim-glib/mbim-proxy-helpers.c b/src/libmbim-glib/mbim-proxy-helpers.c index e527801..f4107d0 100644 --- a/src/libmbim-glib/mbim-proxy-helpers.c +++ b/src/libmbim-glib/mbim-proxy-helpers.c @@ -167,8 +167,8 @@ _mbim_proxy_helper_service_subscribe_request_parse (MbimMessage *message, break; array_offset += 4; - if (array[i]->cids_count) - array[i]->cids = _mbim_message_read_guint32_array (message, array[i]->cids_count, array_offset); + if (array[i]->cids_count && !_mbim_message_read_guint32_array (message, array[i]->cids_count, array_offset, &array[i]->cids, &inner_error)) + break; offset += 8; } } |