From 96a47516321dea8c08e1ab15ac0102ce3c3ae3f1 Mon Sep 17 00:00:00 2001 From: Havoc Pennington Date: Sun, 6 Feb 2005 05:19:50 +0000 Subject: 2005-02-06 Havoc Pennington * dbus/dbus-message-factory.c (generate_special): more tests * dbus/dbus-marshal-validate.c (validate_body_helper): detect array length that exceeds the maximum --- ChangeLog | 7 +++ dbus/dbus-marshal-basic.c | 7 ++- dbus/dbus-marshal-validate.c | 5 +- dbus/dbus-marshal-validate.h | 45 +++++++------- dbus/dbus-message-factory.c | 145 ++++++++++++++++++++++++++++++++++++++++++- 5 files changed, 182 insertions(+), 27 deletions(-) diff --git a/ChangeLog b/ChangeLog index cbde9ade..7678f5b4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +2005-02-06 Havoc Pennington + + * dbus/dbus-message-factory.c (generate_special): more tests + + * dbus/dbus-marshal-validate.c (validate_body_helper): detect + array length that exceeds the maximum + 2005-02-05 Havoc Pennington * dbus/dbus-message-factory.c (generate_special): more test cases, diff --git a/dbus/dbus-marshal-basic.c b/dbus/dbus-marshal-basic.c index 84a9ccaf..a443ea35 100644 --- a/dbus/dbus-marshal-basic.c +++ b/dbus/dbus-marshal-basic.c @@ -577,8 +577,8 @@ _dbus_marshal_read_basic (const DBusString *str, } break; default: - _dbus_warn ("type %s not a basic type\n", - _dbus_type_to_string (type)); + _dbus_warn ("type %s %d not a basic type\n", + _dbus_type_to_string (type), type); _dbus_assert_not_reached ("not a basic type"); break; } @@ -757,6 +757,9 @@ marshal_len_followed_by_bytes (int marshal_as, if (marshal_as == MARSHAL_AS_SIGNATURE) { + _dbus_assert (data_len <= DBUS_MAXIMUM_SIGNATURE_LENGTH); + _dbus_assert (data_len <= 255); /* same as max sig len right now */ + if (!_dbus_string_insert_byte (str, pos, data_len)) goto oom; diff --git a/dbus/dbus-marshal-validate.c b/dbus/dbus-marshal-validate.c index c1d95820..1639fb83 100644 --- a/dbus/dbus-marshal-validate.c +++ b/dbus/dbus-marshal-validate.c @@ -266,7 +266,7 @@ validate_body_helper (DBusTypeReader *reader, } if (claimed_len > (unsigned long) (end - p)) - return DBUS_INVALID_STRING_LENGTH_OUT_OF_BOUNDS; + return DBUS_INVALID_LENGTH_OUT_OF_BOUNDS; if (current_type == DBUS_TYPE_OBJECT_PATH) { @@ -294,6 +294,9 @@ validate_body_helper (DBusTypeReader *reader, DBusValidity validity; const unsigned char *array_end; + if (claimed_len > DBUS_MAXIMUM_ARRAY_LENGTH) + return DBUS_INVALID_ARRAY_LENGTH_EXCEEDS_MAXIMUM; + /* Remember that the reader is types only, so we can't * use it to iterate over elements. It stays the same * for all elements. diff --git a/dbus/dbus-marshal-validate.h b/dbus/dbus-marshal-validate.h index 8989d508..74f4bbf2 100644 --- a/dbus/dbus-marshal-validate.h +++ b/dbus/dbus-marshal-validate.h @@ -55,7 +55,9 @@ typedef enum DBUS_VALID = 0, DBUS_INVALID_UNKNOWN_TYPECODE = 1, DBUS_INVALID_MISSING_ARRAY_ELEMENT_TYPE = 2, - DBUS_INVALID_SIGNATURE_TOO_LONG = 3, + DBUS_INVALID_SIGNATURE_TOO_LONG = 3, /* this one is impossible right now since + * you can't put a too-long value in a byte + */ DBUS_INVALID_EXCEEDED_MAXIMUM_ARRAY_RECURSION = 4, DBUS_INVALID_EXCEEDED_MAXIMUM_STRUCT_RECURSION = 5, DBUS_INVALID_STRUCT_ENDED_BUT_NOT_STARTED = 6, @@ -87,27 +89,26 @@ typedef enum DBUS_INVALID_MISSING_MEMBER = 32, DBUS_INVALID_MISSING_ERROR_NAME = 33, DBUS_INVALID_MISSING_REPLY_SERIAL = 34, - DBUS_INVALID_STRING_LENGTH_OUT_OF_BOUNDS = 35, - DBUS_INVALID_ARRAY_LENGTH_OUT_OF_BOUNDS = 36, - DBUS_INVALID_ARRAY_LENGTH_EXCEEDS_MAXIMUM = 37, - DBUS_INVALID_BAD_PATH = 38, - DBUS_INVALID_SIGNATURE_LENGTH_OUT_OF_BOUNDS = 39, - DBUS_INVALID_BAD_UTF8_IN_STRING = 40, - DBUS_INVALID_ARRAY_LENGTH_INCORRECT = 41, - DBUS_INVALID_VARIANT_SIGNATURE_LENGTH_OUT_OF_BOUNDS = 42, - DBUS_INVALID_VARIANT_SIGNATURE_BAD = 43, - DBUS_INVALID_VARIANT_SIGNATURE_EMPTY = 44, - DBUS_INVALID_VARIANT_SIGNATURE_SPECIFIES_MULTIPLE_VALUES = 45, - DBUS_INVALID_VARIANT_SIGNATURE_MISSING_NUL = 46, - DBUS_INVALID_STRING_MISSING_NUL = 47, - DBUS_INVALID_SIGNATURE_MISSING_NUL = 48, - DBUS_INVALID_EXCEEDED_MAXIMUM_DICT_ENTRY_RECURSION = 49, - DBUS_INVALID_DICT_ENTRY_ENDED_BUT_NOT_STARTED = 50, - DBUS_INVALID_DICT_ENTRY_STARTED_BUT_NOT_ENDED = 51, - DBUS_INVALID_DICT_ENTRY_HAS_NO_FIELDS = 52, - DBUS_INVALID_DICT_ENTRY_HAS_ONLY_ONE_FIELD = 53, - DBUS_INVALID_DICT_ENTRY_HAS_TOO_MANY_FIELDS = 54, - DBUS_INVALID_DICT_ENTRY_NOT_INSIDE_ARRAY = 55, + DBUS_INVALID_LENGTH_OUT_OF_BOUNDS = 35, + DBUS_INVALID_ARRAY_LENGTH_EXCEEDS_MAXIMUM = 36, + DBUS_INVALID_BAD_PATH = 37, + DBUS_INVALID_SIGNATURE_LENGTH_OUT_OF_BOUNDS = 38, + DBUS_INVALID_BAD_UTF8_IN_STRING = 39, + DBUS_INVALID_ARRAY_LENGTH_INCORRECT = 40, + DBUS_INVALID_VARIANT_SIGNATURE_LENGTH_OUT_OF_BOUNDS = 41, + DBUS_INVALID_VARIANT_SIGNATURE_BAD = 42, + DBUS_INVALID_VARIANT_SIGNATURE_EMPTY = 43, + DBUS_INVALID_VARIANT_SIGNATURE_SPECIFIES_MULTIPLE_VALUES = 44, + DBUS_INVALID_VARIANT_SIGNATURE_MISSING_NUL = 45, + DBUS_INVALID_STRING_MISSING_NUL = 46, + DBUS_INVALID_SIGNATURE_MISSING_NUL = 47, + DBUS_INVALID_EXCEEDED_MAXIMUM_DICT_ENTRY_RECURSION = 48, + DBUS_INVALID_DICT_ENTRY_ENDED_BUT_NOT_STARTED = 49, + DBUS_INVALID_DICT_ENTRY_STARTED_BUT_NOT_ENDED = 50, + DBUS_INVALID_DICT_ENTRY_HAS_NO_FIELDS = 51, + DBUS_INVALID_DICT_ENTRY_HAS_ONLY_ONE_FIELD = 52, + DBUS_INVALID_DICT_ENTRY_HAS_TOO_MANY_FIELDS = 53, + DBUS_INVALID_DICT_ENTRY_NOT_INSIDE_ARRAY = 54, DBUS_VALIDITY_LAST } DBusValidity; diff --git a/dbus/dbus-message-factory.c b/dbus/dbus-message-factory.c index adcb9b2e..37c3d38d 100644 --- a/dbus/dbus-message-factory.c +++ b/dbus/dbus-message-factory.c @@ -315,6 +315,22 @@ simple_method_return (void) return message; } +static DBusMessage* +simple_error (void) +{ + DBusMessage *message; + message = dbus_message_new (DBUS_MESSAGE_TYPE_ERROR); + if (message == NULL) + _dbus_assert_not_reached ("oom"); + + if (!dbus_message_set_error_name (message, "foo.bar")) + _dbus_assert_not_reached ("oom"); + + set_reply_serial (message); + + return message; +} + static dbus_bool_t generate_special (DBusMessageDataIter *iter, DBusString *data, @@ -354,7 +370,7 @@ generate_special (DBusMessageDataIter *iter, } else if (item_seq == 1) { - char long_sig[DBUS_MAXIMUM_TYPE_RECURSION_DEPTH+1]; + char long_sig[DBUS_MAXIMUM_TYPE_RECURSION_DEPTH+2]; const char *v_STRING; int i; @@ -372,6 +388,7 @@ generate_special (DBusMessageDataIter *iter, long_sig[i] = DBUS_TYPE_ARRAY; ++i; } + long_sig[i] = DBUS_TYPE_INVALID; v_STRING = long_sig; if (!_dbus_header_set_field_basic (&message->header, @@ -389,7 +406,7 @@ generate_special (DBusMessageDataIter *iter, } else if (item_seq == 2) { - char long_sig[DBUS_MAXIMUM_TYPE_RECURSION_DEPTH*2+3]; + char long_sig[DBUS_MAXIMUM_TYPE_RECURSION_DEPTH*2+4]; const char *v_STRING; int i; @@ -416,6 +433,7 @@ generate_special (DBusMessageDataIter *iter, long_sig[i] = DBUS_STRUCT_END_CHAR; ++i; } + long_sig[i] = DBUS_TYPE_INVALID; v_STRING = long_sig; if (!_dbus_header_set_field_basic (&message->header, @@ -592,6 +610,129 @@ generate_special (DBusMessageDataIter *iter, *expected_validity = DBUS_INVALID_MISSING_REPLY_SERIAL; } + else if (item_seq == 15) + { + message = simple_error (); + + if (!dbus_message_set_error_name (message, NULL)) + _dbus_assert_not_reached ("oom"); + + generate_from_message (data, expected_validity, message); + + *expected_validity = DBUS_INVALID_MISSING_ERROR_NAME; + } + else if (item_seq == 16) + { + char long_sig[DBUS_MAXIMUM_TYPE_RECURSION_DEPTH*3+6]; + const char *v_STRING; + int i; + int n_begins; + + message = simple_method_call (); + if (!dbus_message_append_args (message, + DBUS_TYPE_INT32, &v_INT32, + DBUS_TYPE_INT32, &v_INT32, + DBUS_TYPE_INT32, &v_INT32, + DBUS_TYPE_INVALID)) + _dbus_assert_not_reached ("oom"); + + i = 0; + while (i <= (DBUS_MAXIMUM_TYPE_RECURSION_DEPTH*2 + 2)) + { + long_sig[i] = DBUS_TYPE_ARRAY; + ++i; + long_sig[i] = DBUS_DICT_ENTRY_BEGIN_CHAR; + ++i; + } + n_begins = i / 2; + + long_sig[i] = DBUS_TYPE_INT32; + ++i; + long_sig[i] = DBUS_TYPE_INT32; + ++i; + + while (n_begins > 0) + { + long_sig[i] = DBUS_DICT_ENTRY_END_CHAR; + ++i; + n_begins -= 1; + } + long_sig[i] = DBUS_TYPE_INVALID; + + v_STRING = long_sig; + if (!_dbus_header_set_field_basic (&message->header, + DBUS_HEADER_FIELD_SIGNATURE, + DBUS_TYPE_SIGNATURE, + &v_STRING)) + _dbus_assert_not_reached ("oom"); + + _dbus_header_get_field_raw (&message->header, + DBUS_HEADER_FIELD_SIGNATURE, + NULL, &pos); + generate_from_message (data, expected_validity, message); + + *expected_validity = DBUS_INVALID_EXCEEDED_MAXIMUM_DICT_ENTRY_RECURSION; + } + else if (item_seq == 17) + { + message = simple_method_call (); + if (!dbus_message_append_args (message, + DBUS_TYPE_INT32, &v_INT32, + DBUS_TYPE_INT32, &v_INT32, + DBUS_TYPE_INT32, &v_INT32, + DBUS_TYPE_INVALID)) + _dbus_assert_not_reached ("oom"); + + _dbus_header_get_field_raw (&message->header, + DBUS_HEADER_FIELD_SIGNATURE, + NULL, &pos); + generate_from_message (data, expected_validity, message); + + _dbus_string_set_byte (data, pos + 1, DBUS_TYPE_ARRAY); + _dbus_string_set_byte (data, pos + 2, DBUS_DICT_ENTRY_BEGIN_CHAR); + + *expected_validity = DBUS_INVALID_DICT_ENTRY_STARTED_BUT_NOT_ENDED; + } + else if (item_seq == 18) + { + message = simple_method_call (); + if (!dbus_message_append_args (message, + DBUS_TYPE_INT32, &v_INT32, + DBUS_TYPE_INT32, &v_INT32, + DBUS_TYPE_INT32, &v_INT32, + DBUS_TYPE_INVALID)) + _dbus_assert_not_reached ("oom"); + + _dbus_header_get_field_raw (&message->header, + DBUS_HEADER_FIELD_SIGNATURE, + NULL, &pos); + generate_from_message (data, expected_validity, message); + + _dbus_string_set_byte (data, pos + 1, DBUS_DICT_ENTRY_END_CHAR); + + *expected_validity = DBUS_INVALID_DICT_ENTRY_ENDED_BUT_NOT_STARTED; + } + else if (item_seq == 19) + { + message = simple_method_call (); + if (!dbus_message_append_args (message, + DBUS_TYPE_INT32, &v_INT32, + DBUS_TYPE_INT32, &v_INT32, + DBUS_TYPE_INT32, &v_INT32, + DBUS_TYPE_INVALID)) + _dbus_assert_not_reached ("oom"); + + _dbus_header_get_field_raw (&message->header, + DBUS_HEADER_FIELD_SIGNATURE, + NULL, &pos); + generate_from_message (data, expected_validity, message); + + _dbus_string_set_byte (data, pos + 1, DBUS_TYPE_ARRAY); + _dbus_string_set_byte (data, pos + 2, DBUS_DICT_ENTRY_BEGIN_CHAR); + _dbus_string_set_byte (data, pos + 3, DBUS_DICT_ENTRY_END_CHAR); + + *expected_validity = DBUS_INVALID_DICT_ENTRY_HAS_NO_FIELDS; + } else { return FALSE; -- cgit