diff options
author | Havoc Pennington <hp@redhat.com> | 2003-04-08 20:16:03 +0000 |
---|---|---|
committer | Havoc Pennington <hp@redhat.com> | 2003-04-08 20:16:03 +0000 |
commit | 6c241c1035a74f9ad4a526424a0be5c816bc61cb (patch) | |
tree | 57c2d76171edf47427a2c3b3821de71aeff00845 /dbus/dbus-marshal.c | |
parent | c5020ac870c5990a36c3576453cc23431213e8bf (diff) |
2003-04-08 Havoc Pennington <hp@redhat.com>
* bus/driver.c (bus_driver_handle_acquire_service): init
retval/reply before checking name
* dbus/dbus-marshal.c (_dbus_marshal_validate_arg): add a
recursion depth argument
* dbus/dbus-message.h (struct DBusMessageIter): put some padding
in the public struct for future extension
* dbus/dbus-message-builder.c (_dbus_message_data_load): fix
typo
* dbus/dbus-marshal.c (_dbus_marshal_validate_arg): fix a verbose
message
* doc/dbus-specification.sgml: fix typo
Diffstat (limited to 'dbus/dbus-marshal.c')
-rw-r--r-- | dbus/dbus-marshal.c | 27 |
1 files changed, 22 insertions, 5 deletions
diff --git a/dbus/dbus-marshal.c b/dbus/dbus-marshal.c index a5cea383..83a3e6f2 100644 --- a/dbus/dbus-marshal.c +++ b/dbus/dbus-marshal.c @@ -1184,9 +1184,14 @@ _dbus_marshal_validate_type (const DBusString *str, * returns #TRUE if a valid arg begins at "pos" * * @todo security: need to audit this function. + * + * @todo For array types that can't be invalid, we should not + * walk the whole array validating it. e.g. just skip all the + * int values in an int array. * * @param str a string * @param byte_order the byte order to use + * @param depth current recursion depth, to prevent excessive recursion * @param type the type of the argument * @param pos the pos where the arg starts * @param end_pos pointer where the position right @@ -1196,13 +1201,25 @@ _dbus_marshal_validate_type (const DBusString *str, dbus_bool_t _dbus_marshal_validate_arg (const DBusString *str, int byte_order, + int depth, int type, int pos, int *end_pos) { if (pos > _dbus_string_get_length (str)) - return FALSE; + { + _dbus_verbose ("Validation went off the end of the message\n"); + return FALSE; + } +#define MAX_VALIDATION_DEPTH 32 + + if (depth > MAX_VALIDATION_DEPTH) + { + _dbus_verbose ("Maximum recursion depth reached validating message\n"); + return FALSE; + } + switch (type) { case DBUS_TYPE_INVALID: @@ -1216,7 +1233,7 @@ _dbus_marshal_validate_arg (const DBusString *str, case DBUS_TYPE_BYTE: if (1 > _dbus_string_get_length (str) - pos) { - _dbus_verbose ("no room for boolean value\n"); + _dbus_verbose ("no room for byte value\n"); return FALSE; } @@ -1342,7 +1359,7 @@ _dbus_marshal_validate_arg (const DBusString *str, while (pos < end) { - if (!_dbus_marshal_validate_arg (str, byte_order, + if (!_dbus_marshal_validate_arg (str, byte_order, depth + 1, array_type, pos, &pos)) return FALSE; } @@ -1378,7 +1395,7 @@ _dbus_marshal_validate_arg (const DBusString *str, while (pos < end) { /* Validate name */ - if (!_dbus_marshal_validate_arg (str, byte_order, + if (!_dbus_marshal_validate_arg (str, byte_order, depth + 1, DBUS_TYPE_STRING, pos, &pos)) return FALSE; @@ -1389,7 +1406,7 @@ _dbus_marshal_validate_arg (const DBusString *str, } /* Validate element */ - if (!_dbus_marshal_validate_arg (str, byte_order, + if (!_dbus_marshal_validate_arg (str, byte_order, depth + 1, dict_type, pos, &pos)) return FALSE; } |