You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

93 lines
4.3 KiB

  1. From 7c99ef8bfa024f11452311c36329eeeeece4fd74 Mon Sep 17 00:00:00 2001
  2. From: Hauke Mehrtens <hauke.mehrtens@intel.com>
  3. Date: Wed, 22 Jun 2016 11:41:43 +0200
  4. Subject: [PATCH] Fix memory corruption when reading inetgers from cbor
  5. When the cbor_value_get_*() function is called with a pointer to some int, it
  6. should have the correct size. When we cast it to something else it is treated
  7. as a pointer to an uint64_t in the function for example and them 64 bits gets
  8. written to memory even with the real type is only 32 bit long. When the real
  9. type is only 32 bit long some other memory gets overwritten. On Big endian
  10. systems the least significant bits are cut of so in most cases 0 is read.
  11. With this patch a value cast is used and the value is converted to the other size.
  12. This is the same as in commit 0d64c7c95a5c11a9fb5201e729fd8c75da210c80
  13. "security: fix reading of permission attribute from configuration"
  14. Change-Id: If5965491241e25ebf60a22dc45d37d74a33cb02f
  15. Signed-off-by: Hauke Mehrtens <hauke.mehrtens@intel.com>
  16. ---
  17. resource/csdk/security/src/pconfresource.c | 5 ++++-
  18. resource/csdk/stack/src/ocpayloadparse.c | 19 +++++++++++++++----
  19. 2 files changed, 19 insertions(+), 5 deletions(-)
  20. --- a/resource/csdk/security/src/pconfresource.c
  21. +++ b/resource/csdk/security/src/pconfresource.c
  22. @@ -507,8 +507,11 @@ OCStackResult CBORPayloadToPconf(const u
  23. while (cbor_value_is_valid(&prm))
  24. {
  25. - cborFindResult = cbor_value_get_int(&prm, (int *)&pconf->prm[i++]);
  26. + int prm_val;
  27. +
  28. + cborFindResult = cbor_value_get_int(&prm, &prm_val);
  29. VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed to get value");
  30. + pconf->prm[i++] = (OicSecPrm_t)prm_val;
  31. cborFindResult = cbor_value_advance(&prm);
  32. VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed to advance value");
  33. }
  34. --- a/resource/csdk/stack/src/ocpayloadparse.c
  35. +++ b/resource/csdk/stack/src/ocpayloadparse.c
  36. @@ -287,6 +287,8 @@ static OCStackResult OCParseDiscoveryPay
  37. while (cbor_value_is_map(&resourceMap))
  38. {
  39. + int bitmap;
  40. +
  41. resource = (OCResourcePayload *)OICCalloc(1, sizeof(OCResourcePayload));
  42. VERIFY_PARAM_NON_NULL(TAG, resource, "Failed allocating resource payload");
  43. @@ -319,8 +321,9 @@ static OCStackResult OCParseDiscoveryPay
  44. // Bitmap
  45. err = cbor_value_map_find_value(&policyMap, OC_RSRVD_BITMAP, &curVal);
  46. VERIFY_CBOR_SUCCESS(TAG, err, "to find bitmap tag");
  47. - err = cbor_value_get_int(&curVal, (int *)&resource->bitmap);
  48. + err = cbor_value_get_int(&curVal, &bitmap);
  49. VERIFY_CBOR_SUCCESS(TAG, err, "to find bitmap value");
  50. + resource->bitmap = (uint8_t)bitmap;
  51. // Secure Flag
  52. err = cbor_value_map_find_value(&policyMap, OC_RSRVD_SECURE, &curVal);
  53. @@ -336,8 +339,11 @@ static OCStackResult OCParseDiscoveryPay
  54. VERIFY_CBOR_SUCCESS(TAG, err, "to find port tag");
  55. if (cbor_value_is_valid(&curVal))
  56. {
  57. - err = cbor_value_get_int(&curVal, (int *)&resource->port);
  58. + int port;
  59. +
  60. + err = cbor_value_get_int(&curVal, &port);
  61. VERIFY_CBOR_SUCCESS(TAG, err, "to find port value");
  62. + resource->port = (uint16_t)port;
  63. }
  64. err = cbor_value_advance(&resourceMap);
  65. @@ -1170,6 +1176,7 @@ static OCStackResult OCParsePresencePayl
  66. {
  67. CborValue curVal;
  68. uint64_t temp = 0;
  69. + uint8_t trigger;
  70. // Sequence Number
  71. CborError err = cbor_value_map_find_value(rootValue, OC_RSRVD_NONCE, &curVal);
  72. @@ -1189,8 +1196,9 @@ static OCStackResult OCParsePresencePayl
  73. // Trigger
  74. err = cbor_value_map_find_value(rootValue, OC_RSRVD_TRIGGER, &curVal);
  75. VERIFY_CBOR_SUCCESS(TAG, err, "Failed finding trigger tag");
  76. - err = cbor_value_get_simple_type(&curVal, (uint8_t *)&payload->trigger);
  77. + err = cbor_value_get_simple_type(&curVal, &trigger);
  78. VERIFY_CBOR_SUCCESS(TAG, err, "Failed finding trigger value");
  79. + payload->trigger = (OCPresenceTrigger)trigger;
  80. // Resource type name
  81. err = cbor_value_map_find_value(rootValue, OC_RSRVD_RESOURCE_TYPE, &curVal);