Commit 9ff7c633 authored by ol.beketov's avatar ol.beketov Committed by Randeep

[IOT-2172] Length check before memcpy added

Change-Id: I539a8f21fd149b7d468d96b52e7bcadc964f6931
Signed-off-by: default avatarol.beketov <ol.beketov@samsung.com>
Reviewed-on: https://gerrit.iotivity.org/gerrit/19785Reviewed-by: default avatarKevin Kane <kkane@microsoft.com>
Tested-by: default avatarjenkins-iotivity <jenkins@iotivity.org>
Reviewed-by: default avatarDmitriy Zhuravlev <d.zhuravlev@samsung.com>
Reviewed-by: default avatarAndrii Shtompel <a.shtompel@samsung.com>
Reviewed-by: default avatardongik Lee <dongik.lee@samsung.com>
Reviewed-by: Randeep's avatarRandeep Singh <randeep.s@samsung.com>
parent eba54fe0
......@@ -2153,6 +2153,12 @@ static bool GetSubjectFromQueryString(const char *query, OicUuid_t *subject)
{
char strUuid[STRING_UUID_SIZE] = {0};
VERIFY_SUCCESS(TAG, 0 != parseIter.valLen, ERROR);
if (sizeof(strUuid) < parseIter.valLen)
{
OIC_LOG(ERROR, TAG, "Uuid is too long");
goto exit;
}
memcpy(strUuid, parseIter.valPos, parseIter.valLen);
OCStackResult res = ConvertStrToUuid(strUuid, subject);
VERIFY_SUCCESS(TAG, OC_STACK_OK == res, ERROR);
......
......@@ -2788,8 +2788,13 @@ int32_t GetDtlsPskCredentials(CADtlsPskCredType_t type,
{
if (ValueWithinBounds(cred->privateData.len, INT32_MAX))
{
ret = (int32_t)cred->privateData.len;
memcpy(result, cred->privateData.data, ret);
size_t len = cred->privateData.len;
if (result_length < len)
{
OIC_LOG (ERROR, TAG, "Wrong value for result_length");
return ret;
}
memcpy(result, cred->privateData.data, len);
}
}
else if(OIC_ENCODING_BASE64 == cred->privateData.encoding)
......@@ -2807,6 +2812,11 @@ int32_t GetDtlsPskCredentials(CADtlsPskCredType_t type,
{
if (ValueWithinBounds(outKeySize, INT32_MAX))
{
if (result_length < outKeySize)
{
OIC_LOG (ERROR, TAG, "Wrong value for result_length");
return ret;
}
memcpy(result, outKey, outKeySize);
ret = (int32_t)outKeySize;
}
......
......@@ -952,6 +952,11 @@ static bool ValidateQuery(const char * query)
bDeviceIDQry = true;
OicUuid_t subject = {.id={0}};
if (sizeof(subject.id) < parseIter.valLen)
{
OIC_LOG (ERROR, TAG, "Subject ID length is too long");
return false;
}
memcpy(subject.id, parseIter.valPos, parseIter.valLen);
if (0 == memcmp(&gDoxm->deviceID.id, &subject.id, sizeof(gDoxm->deviceID.id)))
{
......@@ -1110,6 +1115,11 @@ void MultipleOwnerDTLSHandshakeCB(const CAEndpoint_t *object,
if(subOwnerInst)
{
char* strUuid = NULL;
if (sizeof(subOwnerInst->uuid.id) < authenticationSubOwnerInfo.identity.id)
{
OIC_LOG(ERROR, TAG, "Identity id is too long");
return;
}
memcpy(subOwnerInst->uuid.id, authenticationSubOwnerInfo.identity.id,
authenticationSubOwnerInfo.identity.id_length);
if(OC_STACK_OK != ConvertUuidToStr(&subOwnerInst->uuid, &strUuid))
......
......@@ -635,6 +635,12 @@ int32_t GetDtlsPskForPreconfPinOxm( CADtlsPskCredType_t type,
return ret;
}
if (g_PinOxmData.pinSize < pinLength)
{
OIC_LOG (ERROR, TAG, "PIN length too long");
OICFree(pinBuffer);
return ret;
}
memcpy(g_PinOxmData.pinData, pinBuffer, pinLength);
OICFree(pinBuffer);
}
......@@ -735,6 +741,12 @@ int32_t GetDtlsPskForMotPreconfPinOxm( CADtlsPskCredType_t type,
return ret;
}
if (g_PinOxmData.pinSize < pinLength)
{
OIC_LOG (ERROR, TAG, "PIN length is too long");
OICFree(pinBuffer);
return ret;
}
memcpy(g_PinOxmData.pinData, pinBuffer, pinLength);
OICFree(pinBuffer);
}
......
......@@ -520,6 +520,11 @@ OCStackResult CBORPayloadToPconf(const uint8_t *cborPayload, size_t size, OicSec
uint8_t *pin = NULL;
cborFindResult = cbor_value_dup_byte_string(&pconfMap, &pin, &len, NULL);
VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed to get value");
if (sizeof(pconf->pin.val) < len)
{
OIC_LOG (ERROR, TAG, "PIN length is too long");
goto exit;
}
memcpy(pconf->pin.val, pin, len);
OICFree(pin);
}
......
......@@ -190,6 +190,13 @@ OCStackResult CBORPayloadToVer(const uint8_t *cborPayload, size_t size,
char *version = NULL;
cborFindResult = cbor_value_dup_text_string(&verMap, &version, &len, NULL);
VERIFY_CBOR_SUCCESS(TAG, cborFindResult, "Failed Finding Security Version Value.");
if (sizeof(ver->secv) < len)
{
OIC_LOG (ERROR, TAG, "Version length is too long");
OICFree(version);
OICFree(ver);
goto exit;
}
memcpy(ver->secv, version, len);
OICFree(version);
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment