From 4e199d8d39d6c181c7bca66000ab297f3c57f3bd Mon Sep 17 00:00:00 2001 From: Luiz Augusto von Dentz Date: Mon, 19 Jul 2010 12:49:07 +0300 Subject: [PATCH] obexd: fix possible buffer overflow When checking if driver matches target or who sizes were not being verified which can cause invalid accesses when the received target size is bigger than driver's target size. To fix this memncmp0 was introduced to takes both sizes and compares them before calling memcmp. --- obexd/src/mimetype.c | 4 ++-- obexd/src/obex.c | 7 +++++-- obexd/src/obex.h | 2 +- obexd/src/service.c | 6 ++++-- 4 files changed, 12 insertions(+), 7 deletions(-) diff --git a/obexd/src/mimetype.c b/obexd/src/mimetype.c index 7b96ec292..fa52e7571 100644 --- a/obexd/src/mimetype.c +++ b/obexd/src/mimetype.c @@ -126,10 +126,10 @@ static struct obex_mime_type_driver *find_driver(const uint8_t *target, for (l = drivers; l; l = l->next) { struct obex_mime_type_driver *driver = l->data; - if (memcmp0(target, driver->target, TARGET_SIZE)) + if (memncmp0(target, TARGET_SIZE, driver->target, TARGET_SIZE)) continue; - if (memcmp0(who, driver->who, who_size)) + if (memncmp0(who, who_size, driver->who, driver->who_size)) continue; if (g_strcmp0(mimetype, driver->mimetype) == 0) diff --git a/obexd/src/obex.c b/obexd/src/obex.c index db04bfde3..3aee4cb2f 100644 --- a/obexd/src/obex.c +++ b/obexd/src/obex.c @@ -1385,13 +1385,16 @@ int obex_aparam_write(struct obex_session *os, OBEX_HDR_APPARAM, hd, size, 0); } -int memcmp0(const void *a, const void *b, size_t n) +int memncmp0(const void *a, size_t na, const void *b, size_t nb) { + if (na != nb) + return na - nb; + if (a == NULL) return -(a != b); if (b == NULL) return a != b; - return memcmp(a, b, n); + return memcmp(a, b, na); } diff --git a/obexd/src/obex.h b/obexd/src/obex.h index 081e03b34..9424b6bfb 100644 --- a/obexd/src/obex.h +++ b/obexd/src/obex.h @@ -64,4 +64,4 @@ const char *obex_option_root_folder(void); gboolean obex_option_symlinks(void); /* Just a thin wrapper around memcmp to deal with NULL values */ -int memcmp0(const void *a, const void *b, size_t n); +int memncmp0(const void *a, size_t na, const void *b, size_t nb); diff --git a/obexd/src/service.c b/obexd/src/service.c index 1692a41e0..f7c5a61df 100644 --- a/obexd/src/service.c +++ b/obexd/src/service.c @@ -47,10 +47,12 @@ struct obex_service_driver *obex_service_driver_find(GSList *drivers, struct obex_service_driver *driver = l->data; /* who is optional, so only check for it if not NULL */ - if (who != NULL && memcmp0(who, driver->who, who_size)) + if (who != NULL && memncmp0(who, who_size, driver->who, + driver->who_size)) continue; - if (memcmp0(target, driver->target, target_size) == 0) + if (memncmp0(target, target_size, driver->target, + driver->target_size) == 0) return driver; } -- 2.47.3