From 7c99ef8bfa024f11452311c36329eeeeece4fd74 Mon Sep 17 00:00:00 2001 From: Hauke Mehrtens Date: Wed, 22 Jun 2016 11:41:43 +0200 Subject: [PATCH] Fix memory corruption when reading inetgers from cbor When the cbor_value_get_*() function is called with a pointer to some int, it should have the correct size. When we cast it to something else it is treated as a pointer to an uint64_t in the function for example and them 64 bits gets written to memory even with the real type is only 32 bit long. When the real type is only 32 bit long some other memory gets overwritten. On Big endian systems the least significant bits are cut of so in most cases 0 is read. With this patch a value cast is used and the value is converted to the other size. This is the same as in commit 0d64c7c95a5c11a9fb5201e729fd8c75da210c80 "security: fix reading of permission attribute from configuration" Change-Id: If5965491241e25ebf60a22dc45d37d74a33cb02f Signed-off-by: Hauke Mehrtens --- resource/csdk/security/src/pconfresource.c | 5 ++++- resource/csdk/stack/src/ocpayloadparse.c | 19 +++++++++++++++---- 2 files changed, 19 insertions(+), 5 deletions(-) --- a/resource/csdk/security/src/pconfresource.c +++ b/resource/csdk/security/src/pconfresource.c @@ -507,8 +507,11 @@ OCStackResult CBORPayloadToPconf(const u while (cbor_value_is_valid(&prm)) { - cborFindResult = cbor_value_get_int(&prm, (int *)&pconf->prm[i++]); + int prm_val; + + cborFindResult = cbor_value_get_int(&prm, &prm_val); VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed to get value"); + pconf->prm[i++] = (OicSecPrm_t)prm_val; cborFindResult = cbor_value_advance(&prm); VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed to advance value"); } --- a/resource/csdk/stack/src/ocpayloadparse.c +++ b/resource/csdk/stack/src/ocpayloadparse.c @@ -287,6 +287,8 @@ static OCStackResult OCParseDiscoveryPay while (cbor_value_is_map(&resourceMap)) { + int bitmap; + resource = (OCResourcePayload *)OICCalloc(1, sizeof(OCResourcePayload)); VERIFY_PARAM_NON_NULL(TAG, resource, "Failed allocating resource payload"); @@ -319,8 +321,9 @@ static OCStackResult OCParseDiscoveryPay // Bitmap err = cbor_value_map_find_value(&policyMap, OC_RSRVD_BITMAP, &curVal); VERIFY_CBOR_SUCCESS(TAG, err, "to find bitmap tag"); - err = cbor_value_get_int(&curVal, (int *)&resource->bitmap); + err = cbor_value_get_int(&curVal, &bitmap); VERIFY_CBOR_SUCCESS(TAG, err, "to find bitmap value"); + resource->bitmap = (uint8_t)bitmap; // Secure Flag err = cbor_value_map_find_value(&policyMap, OC_RSRVD_SECURE, &curVal); @@ -336,8 +339,11 @@ static OCStackResult OCParseDiscoveryPay VERIFY_CBOR_SUCCESS(TAG, err, "to find port tag"); if (cbor_value_is_valid(&curVal)) { - err = cbor_value_get_int(&curVal, (int *)&resource->port); + int port; + + err = cbor_value_get_int(&curVal, &port); VERIFY_CBOR_SUCCESS(TAG, err, "to find port value"); + resource->port = (uint16_t)port; } err = cbor_value_advance(&resourceMap); @@ -1170,6 +1176,7 @@ static OCStackResult OCParsePresencePayl { CborValue curVal; uint64_t temp = 0; + uint8_t trigger; // Sequence Number CborError err = cbor_value_map_find_value(rootValue, OC_RSRVD_NONCE, &curVal); @@ -1189,8 +1196,9 @@ static OCStackResult OCParsePresencePayl // Trigger err = cbor_value_map_find_value(rootValue, OC_RSRVD_TRIGGER, &curVal); VERIFY_CBOR_SUCCESS(TAG, err, "Failed finding trigger tag"); - err = cbor_value_get_simple_type(&curVal, (uint8_t *)&payload->trigger); + err = cbor_value_get_simple_type(&curVal, &trigger); VERIFY_CBOR_SUCCESS(TAG, err, "Failed finding trigger value"); + payload->trigger = (OCPresenceTrigger)trigger; // Resource type name err = cbor_value_map_find_value(rootValue, OC_RSRVD_RESOURCE_TYPE, &curVal);