Changeset 5145:c1a3ca765154 in roaraudio for libroar/ctl.c

Timestamp:

10/11/11 13:47:59 (13 years ago)

Author:

phi

Branch:

default

Phase:

public

Message:

• Fixed invalid pointer aliasing in filter code (pr0)
• Fixed remote a local buffer overflow in client to message converter code as well as a remote attackable overflow in message to client converter code (pr0)
• Updated error handling (pr0)

File:

• libroar/ctl.c (modified) (21 diffs)

libroar/ctl.c

@@ -311 +311 @@
  m->data[1] = filter;
  m->data[2] = cmp;
- *((uint32_t*)&(m->data[3])) = ROAR_HOST2NET32(id);
+ m->data[3] = (id & 0xFF000000LU) >> 24;
+ m->data[4] = (id & 0x00FF0000LU) >> 16;
+ m->data[5] = (id & 0x0000FF00LU) >>  8;
+ m->data[6] = (id & 0x000000FFLU) >>  0;
 
  return 0;
 }
 int roar_ctl_m2f      (struct roar_message * m, unsigned char * filter, unsigned char * cmp, uint32_t * id) {
+ register uint32_t idreg;
 
  if ( m->datalen != 7 )
@@ -328 +332 @@
  *cmp    = m->data[2];
 
- *id = ROAR_NET2HOST32(*((uint32_t*)&(m->data[3])));
+ idreg   = ((uint32_t)(unsigned char)m->data[3]) << 24;
+ idreg  |= ((uint32_t)(unsigned char)m->data[4]) << 16;
+ idreg  |= ((uint32_t)(unsigned char)m->data[5]) <<  8;
+ idreg  |= ((uint32_t)(unsigned char)m->data[6]) <<  0;
+ *id     = idreg;
 
  return 0;
@@ -345 +353 @@
    break;
   default:
+    roar_err_set(ROAR_ERROR_NOTSUP);
     return -1;
  }
@@ -352 +361 @@
  int i;
 
- if ( len > LIBROAR_BUFFER_MSGDATA )
-  return -1;
+ if ( len > LIBROAR_BUFFER_MSGDATA ) {
+  roar_err_set(ROAR_ERROR_MSGSIZE);
+  return -1;
+ }
 
  m->datalen = len;
@@ -365 +376 @@
  int i;
 
- if ( m->datalen > len )
-  return -1;
+ if ( m->datalen > len ) {
+  roar_err_set(ROAR_ERROR_MSGSIZE);
+  return -1;
+ }
 
  for (i = 0; i < m->datalen; i++)
@@ -380 +393 @@
  int max_len;
  uint32_t pid;
- size_t len_rest;
+ signed long int len_rest;
+ size_t nnode_len;
 
  if ( c == NULL )
@@ -429 +443 @@
  cur += 4;
 
- len_rest = sizeof(m->data) - cur;
- if ( roar_nnode_to_blob(&(c->nnode), &(m->data[cur]), &len_rest) == 0 ) {
-  cur += len_rest;
+ len_rest = (long int)sizeof(m->data) - (long int)cur;
+ if ( len_rest < 0 ) {
+  roar_panic(ROAR_FATAL_ERROR_MEMORY_CORRUPTION, NULL);
+ }
+
+ nnode_len = len_rest;
+ if ( roar_nnode_to_blob(&(c->nnode), &(m->data[cur]), &nnode_len) == 0 ) {
+  cur += nnode_len;
  }
 
@@ -445 +464 @@
  size_t len;
 
- if ( m == NULL || c == NULL )
-  return -1;
-
- if ( m->datalen == 0 )
-  return -1;
+ if ( m == NULL || c == NULL ) {
+  roar_err_set(ROAR_ERROR_FAULT);
+  return -1;
+ }
+
+ if ( m->datalen == 0 ) {
+  roar_err_set(ROAR_ERROR_MSGSIZE);
+  return -1;
+ }
 
  ROAR_DBG("roar_ctl_m2c(*): got data!, len = %i", m->datalen);
@@ -455 +478 @@
  if ( m->data[0] != 0 ) {
   ROAR_DBG("roar_ctl_m2c(*): wrong version!");
-  return -1;
- }
-
- if ( m->datalen < 3 )
-  return -1;
+  roar_err_set(ROAR_ERROR_NSVERSION);
+  return -1;
+ }
+
+ if ( m->datalen < 3 ) {
+  roar_err_set(ROAR_ERROR_MSGSIZE);
+  return -1;
+ }
 
  ROAR_DBG("roar_ctl_m2c(*): have usable data!");
@@ -467 +493 @@
  for (i = 0; i < ROAR_CLIENTS_MAX_STREAMS_PER_CLIENT; i++)
   c->streams[i] = -1;
+
+ if ( m->data[2] < 0 || m->data[2] > ROAR_CLIENTS_MAX_STREAMS_PER_CLIENT ) {
+  roar_err_set(ROAR_ERROR_TOOMANYARGS);
+  return -1;
+ }
 
  for (i = 0; i < m->data[2]; i++)
@@ -555 +586 @@
  }
 
+ roar_err_set(ROAR_ERROR_NOENT);
  return -1;
 }
@@ -592 +624 @@
  }
 
+ roar_err_set(ROAR_ERROR_NOENT);
  return -1;
 }
@@ -632 +665 @@
    return _libroar_ot[i].ot;
 
+ roar_err_set(ROAR_ERROR_NOENT);
  return -1;
 }
@@ -642 +676 @@
    return _libroar_ot[i].name;
 
+ roar_err_set(ROAR_ERROR_NOENT);
  return NULL;
 }
@@ -650 +685 @@
  uint_least32_t s;
 
- if ( dst == NULL || src == NULL || dstchans < 0 || srcchans < 0 )
-  return -1;
+ if ( dst == NULL || src == NULL ) {
+  roar_err_set(ROAR_ERROR_FAULT);
+  return -1;
+ }
+
+ if ( dstchans < 0 || srcchans < 0 ) {
+  roar_err_set(ROAR_ERROR_INVAL);
+  return -1;
+ }
 
  if ( dstchans == srcchans ) {
@@ -709 +751 @@
        break;
       default:
+        roar_err_set(ROAR_ERROR_NOTSUP);
         return -1;
        break;
@@ -741 +784 @@
        break;
       default:
+        roar_err_set(ROAR_ERROR_NOTSUP);
         return -1;
        break;
@@ -772 +816 @@
        break;
       default:
+        roar_err_set(ROAR_ERROR_NOTSUP);
         return -1;
        break;
@@ -802 +847 @@
        break;
       default:
+        roar_err_set(ROAR_ERROR_NOTSUP);
         return -1;
        break;
@@ -831 +877 @@
        break;
       default:
+        roar_err_set(ROAR_ERROR_NOTSUP);
         return -1;
        break;
@@ -836 +883 @@
     break;
    default:
+     roar_err_set(ROAR_ERROR_NOTSUP);
      return -1;
     break;