LILiK
/
openwrt-packages-dist


								From 7c99ef8bfa024f11452311c36329eeeeece4fd74 Mon Sep 17 00:00:00 2001

								From: Hauke Mehrtens <hauke.mehrtens@intel.com>

								Date: Wed, 22 Jun 2016 11:41:43 +0200

								Subject: [PATCH] Fix memory corruption when reading inetgers from cbor


								When the cbor_value_get_*() function is called with a pointer to some int, it

								should have the correct size. When we cast it to something else it is treated

								as a pointer to an uint64_t in the function for example and them 64 bits gets

								written to memory even with the real type is only 32 bit long. When the real

								type is only 32 bit long some other memory gets overwritten. On Big endian

								systems the least significant bits are cut of so in most cases 0 is read.


								With this patch a value cast is used and the value is converted to the other size.


								This is the same as in commit 0d64c7c95a5c11a9fb5201e729fd8c75da210c80

								"security: fix reading of permission attribute from configuration"


								Change-Id: If5965491241e25ebf60a22dc45d37d74a33cb02f

								Signed-off-by: Hauke Mehrtens <hauke.mehrtens@intel.com>

								---

								 resource/csdk/security/src/pconfresource.c |  5 ++++-

								 resource/csdk/stack/src/ocpayloadparse.c   | 19 +++++++++++++++----

								 2 files changed, 19 insertions(+), 5 deletions(-)


								--- a/resource/csdk/security/src/pconfresource.c

								+++ b/resource/csdk/security/src/pconfresource.c

								@@ -507,8 +507,11 @@ OCStackResult CBORPayloadToPconf(const u


								                 while (cbor_value_is_valid(&prm))

								                 {

								-                    cborFindResult = cbor_value_get_int(&prm, (int *)&pconf->prm[i++]);

								+                    int prm_val;

								+

								+                    cborFindResult = cbor_value_get_int(&prm, &prm_val);

								                     VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed to get value");

								+                    pconf->prm[i++] = (OicSecPrm_t)prm_val;

								                     cborFindResult = cbor_value_advance(&prm);

								                     VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed to advance value");

								                 }

								--- a/resource/csdk/stack/src/ocpayloadparse.c

								+++ b/resource/csdk/stack/src/ocpayloadparse.c

								@@ -287,6 +287,8 @@ static OCStackResult OCParseDiscoveryPay


								         while (cbor_value_is_map(&resourceMap))

								         {

								+            int bitmap;

								+

								             resource = (OCResourcePayload *)OICCalloc(1, sizeof(OCResourcePayload));

								             VERIFY_PARAM_NON_NULL(TAG, resource, "Failed allocating resource payload");


								@@ -319,8 +321,9 @@ static OCStackResult OCParseDiscoveryPay

								             // Bitmap

								             err = cbor_value_map_find_value(&policyMap, OC_RSRVD_BITMAP, &curVal);

								             VERIFY_CBOR_SUCCESS(TAG, err, "to find bitmap tag");

								-            err = cbor_value_get_int(&curVal, (int *)&resource->bitmap);

								+            err = cbor_value_get_int(&curVal, &bitmap);

								             VERIFY_CBOR_SUCCESS(TAG, err, "to find bitmap value");

								+            resource->bitmap = (uint8_t)bitmap;


								             // Secure Flag

								             err = cbor_value_map_find_value(&policyMap, OC_RSRVD_SECURE, &curVal);

								@@ -336,8 +339,11 @@ static OCStackResult OCParseDiscoveryPay

								             VERIFY_CBOR_SUCCESS(TAG, err, "to find port tag");

								             if (cbor_value_is_valid(&curVal))

								             {

								-                err = cbor_value_get_int(&curVal, (int *)&resource->port);

								+                int port;

								+

								+                err = cbor_value_get_int(&curVal, &port);

								                 VERIFY_CBOR_SUCCESS(TAG, err, "to find port value");

								+                resource->port = (uint16_t)port;

								             }


								             err = cbor_value_advance(&resourceMap);

								@@ -1170,6 +1176,7 @@ static OCStackResult OCParsePresencePayl

								     {

								         CborValue curVal;

								         uint64_t temp = 0;

								+        uint8_t trigger;


								         // Sequence Number

								         CborError err = cbor_value_map_find_value(rootValue, OC_RSRVD_NONCE, &curVal);

								@@ -1189,8 +1196,9 @@ static OCStackResult OCParsePresencePayl

								         // Trigger

								         err = cbor_value_map_find_value(rootValue, OC_RSRVD_TRIGGER, &curVal);

								         VERIFY_CBOR_SUCCESS(TAG, err, "Failed finding trigger tag");

								-        err = cbor_value_get_simple_type(&curVal, (uint8_t *)&payload->trigger);

								+        err = cbor_value_get_simple_type(&curVal, &trigger);

								         VERIFY_CBOR_SUCCESS(TAG, err, "Failed finding trigger value");

								+        payload->trigger = (OCPresenceTrigger)trigger;


								         // Resource type name

								         err = cbor_value_map_find_value(rootValue, OC_RSRVD_RESOURCE_TYPE, &curVal);