Use correct parameters when calling l_dbus_message_iter_get_fixed_array().
Also, check the return value and the length of the processed array and
return an error if the checks fail.
---
mesh/mesh.c | 11 ++++-------
mesh/node.c | 26 +++++++++++++-------------
2 files changed, 17 insertions(+), 20 deletions(-)
diff --git a/mesh/mesh.c b/mesh/mesh.c
index 8db83b7c3..a0a9a7c8e 100644
--- a/mesh/mesh.c
+++ b/mesh/mesh.c
@@ -73,7 +73,7 @@ struct join_data{
const char *app_path;
struct mesh_node *node;
uint32_t disc_watch;
- uint8_t uuid[16];
+ uint8_t *uuid;
};
struct attach_data {
@@ -561,7 +561,6 @@ static struct l_dbus_message *join_network_call(struct l_dbus *dbus,
{
const char *app_path, *sender;
struct l_dbus_message_iter iter_uuid;
- uint8_t *uuid;
uint32_t n;
l_debug("Join network request");
@@ -576,17 +575,15 @@ static struct l_dbus_message *join_network_call(struct l_dbus *dbus,
join_pending = l_new(struct join_data, 1);
- l_dbus_message_iter_get_fixed_array(&iter_uuid, &uuid, &n);
-
- if (n != 16) {
+ if (!l_dbus_message_iter_get_fixed_array(&iter_uuid,
+ &join_pending->uuid, &n)
+ || n != 16) {
l_free(join_pending);
join_pending = NULL;
return dbus_error(msg, MESH_ERROR_INVALID_ARGS,
"Bad device UUID");
}
- memcpy(join_pending->uuid, uuid, 16);
-
sender = l_dbus_message_get_sender(msg);
join_pending->sender = l_strdup(sender);
diff --git a/mesh/node.c b/mesh/node.c
index 6a7b4a260..761a67af4 100644
--- a/mesh/node.c
+++ b/mesh/node.c
@@ -1537,7 +1537,7 @@ static struct l_dbus_message *send_call(struct l_dbus *dbus,
struct l_dbus_message_iter iter_data;
struct node_element *ele;
uint16_t dst, app_idx, src;
- uint8_t data[MESH_MAX_ACCESS_PAYLOAD];
+ uint8_t *data;
uint32_t len;
struct l_dbus_message *reply;
@@ -1559,10 +1559,10 @@ static struct l_dbus_message *send_call(struct l_dbus *dbus,
src = node_get_primary(node) + ele->idx;
- l_dbus_message_iter_get_fixed_array(&iter_data, data, &len);
- if (!len)
+ if (!l_dbus_message_iter_get_fixed_array(&iter_data, &data, &len) ||
+ !len || len > MESH_MAX_ACCESS_PAYLOAD)
return dbus_error(msg, MESH_ERROR_INVALID_ARGS,
- "Mesh message is empty");
+ "Incorrect data");
if (!mesh_model_send(node, src, dst, app_idx,
mesh_net_get_default_ttl(node->net), data, len))
@@ -1583,7 +1583,7 @@ static struct l_dbus_message *publish_call(struct l_dbus *dbus,
struct l_dbus_message_iter iter_data;
uint16_t mod_id, src;
struct node_element *ele;
- uint8_t data[MESH_MAX_ACCESS_PAYLOAD];
+ uint8_t *data;
uint32_t len;
struct l_dbus_message *reply;
int result;
@@ -1606,10 +1606,10 @@ static struct l_dbus_message *publish_call(struct l_dbus *dbus,
src = node_get_primary(node) + ele->idx;
- l_dbus_message_iter_get_fixed_array(&iter_data, data, &len);
- if (!len)
+ if (!l_dbus_message_iter_get_fixed_array(&iter_data, &data, &len) ||
+ !len || len > MESH_MAX_ACCESS_PAYLOAD)
return dbus_error(msg, MESH_ERROR_INVALID_ARGS,
- "Mesh message is empty");
+ "Incorrect data");
result = mesh_model_publish(node, VENDOR_ID_MASK | mod_id, src,
mesh_net_get_default_ttl(node->net), data, len);
@@ -1634,7 +1634,7 @@ static struct l_dbus_message *vendor_publish_call(struct l_dbus *dbus,
uint16_t model_id, vendor;
uint32_t vendor_mod_id;
struct node_element *ele;
- uint8_t data[MESH_MAX_ACCESS_PAYLOAD];
+ uint8_t *data = NULL;
uint32_t len;
struct l_dbus_message *reply;
int result;
@@ -1657,10 +1657,10 @@ static struct l_dbus_message *vendor_publish_call(struct l_dbus *dbus,
src = node_get_primary(node) + ele->idx;
- l_dbus_message_iter_get_fixed_array(&iter_data, data, &len);
- if (!len)
+ if (!l_dbus_message_iter_get_fixed_array(&iter_data, &data, &len) ||
+ !len || len > MESH_MAX_ACCESS_PAYLOAD)
return dbus_error(msg, MESH_ERROR_INVALID_ARGS,
- "Mesh message is empty");
+ "Incorrect data");
vendor_mod_id = (vendor << 16) | model_id;
result = mesh_model_publish(node, vendor_mod_id, src,
@@ -1686,7 +1686,7 @@ static void setup_node_interface(struct l_dbus_interface *iface)
"", "oqqay", "element_path",
"vendor", "model_id", "data");
- /*TODO: Properties */
+ /* TODO: Properties */
}
bool node_dbus_init(struct l_dbus *bus)
--
2.17.2
applied
> -----Original Message-----
> From: [email protected] [mailto:linux-bluetooth-
> [email protected]] On Behalf Of Inga Stotland
> Sent: Friday, March 1, 2019 3:53 PM
> To: [email protected]
> Cc: Gix, Brian <[email protected]>; [email protected];
> [email protected]; Stotland, Inga <[email protected]>
> Subject: [PATCH BlueZ] mesh: Fix array processing in Send, Publish, Join
>
> Use correct parameters when calling
> l_dbus_message_iter_get_fixed_array().
> Also, check the return value and the length of the processed array and return
> an error if the checks fail.
> ---
> mesh/mesh.c | 11 ++++-------
> mesh/node.c | 26 +++++++++++++-------------
> 2 files changed, 17 insertions(+), 20 deletions(-)
>
> diff --git a/mesh/mesh.c b/mesh/mesh.c
> index 8db83b7c3..a0a9a7c8e 100644
> --- a/mesh/mesh.c
> +++ b/mesh/mesh.c
> @@ -73,7 +73,7 @@ struct join_data{
> const char *app_path;
> struct mesh_node *node;
> uint32_t disc_watch;
> - uint8_t uuid[16];
> + uint8_t *uuid;
> };
>
> struct attach_data {
> @@ -561,7 +561,6 @@ static struct l_dbus_message
> *join_network_call(struct l_dbus *dbus, {
> const char *app_path, *sender;
> struct l_dbus_message_iter iter_uuid;
> - uint8_t *uuid;
> uint32_t n;
>
> l_debug("Join network request");
> @@ -576,17 +575,15 @@ static struct l_dbus_message
> *join_network_call(struct l_dbus *dbus,
>
> join_pending = l_new(struct join_data, 1);
>
> - l_dbus_message_iter_get_fixed_array(&iter_uuid, &uuid, &n);
> -
> - if (n != 16) {
> + if (!l_dbus_message_iter_get_fixed_array(&iter_uuid,
> + &join_pending->uuid, &n)
> + || n != 16) {
> l_free(join_pending);
> join_pending = NULL;
> return dbus_error(msg, MESH_ERROR_INVALID_ARGS,
> "Bad device UUID");
> }
>
> - memcpy(join_pending->uuid, uuid, 16);
> -
> sender = l_dbus_message_get_sender(msg);
>
> join_pending->sender = l_strdup(sender); diff --git a/mesh/node.c
> b/mesh/node.c index 6a7b4a260..761a67af4 100644
> --- a/mesh/node.c
> +++ b/mesh/node.c
> @@ -1537,7 +1537,7 @@ static struct l_dbus_message *send_call(struct
> l_dbus *dbus,
> struct l_dbus_message_iter iter_data;
> struct node_element *ele;
> uint16_t dst, app_idx, src;
> - uint8_t data[MESH_MAX_ACCESS_PAYLOAD];
> + uint8_t *data;
> uint32_t len;
> struct l_dbus_message *reply;
>
> @@ -1559,10 +1559,10 @@ static struct l_dbus_message *send_call(struct
> l_dbus *dbus,
>
> src = node_get_primary(node) + ele->idx;
>
> - l_dbus_message_iter_get_fixed_array(&iter_data, data, &len);
> - if (!len)
> + if (!l_dbus_message_iter_get_fixed_array(&iter_data, &data, &len)
> ||
> + !len || len >
> MESH_MAX_ACCESS_PAYLOAD)
> return dbus_error(msg, MESH_ERROR_INVALID_ARGS,
> - "Mesh message is empty");
> + "Incorrect data");
>
> if (!mesh_model_send(node, src, dst, app_idx,
> mesh_net_get_default_ttl(node->net), data,
> len)) @@ -1583,7 +1583,7 @@ static struct l_dbus_message
> *publish_call(struct l_dbus *dbus,
> struct l_dbus_message_iter iter_data;
> uint16_t mod_id, src;
> struct node_element *ele;
> - uint8_t data[MESH_MAX_ACCESS_PAYLOAD];
> + uint8_t *data;
> uint32_t len;
> struct l_dbus_message *reply;
> int result;
> @@ -1606,10 +1606,10 @@ static struct l_dbus_message *publish_call(struct
> l_dbus *dbus,
>
> src = node_get_primary(node) + ele->idx;
>
> - l_dbus_message_iter_get_fixed_array(&iter_data, data, &len);
> - if (!len)
> + if (!l_dbus_message_iter_get_fixed_array(&iter_data, &data, &len)
> ||
> + !len || len >
> MESH_MAX_ACCESS_PAYLOAD)
> return dbus_error(msg, MESH_ERROR_INVALID_ARGS,
> - "Mesh message is empty");
> + "Incorrect data");
>
> result = mesh_model_publish(node, VENDOR_ID_MASK | mod_id,
> src,
> mesh_net_get_default_ttl(node->net), data,
> len); @@ -1634,7 +1634,7 @@ static struct l_dbus_message
> *vendor_publish_call(struct l_dbus *dbus,
> uint16_t model_id, vendor;
> uint32_t vendor_mod_id;
> struct node_element *ele;
> - uint8_t data[MESH_MAX_ACCESS_PAYLOAD];
> + uint8_t *data = NULL;
> uint32_t len;
> struct l_dbus_message *reply;
> int result;
> @@ -1657,10 +1657,10 @@ static struct l_dbus_message
> *vendor_publish_call(struct l_dbus *dbus,
>
> src = node_get_primary(node) + ele->idx;
>
> - l_dbus_message_iter_get_fixed_array(&iter_data, data, &len);
> - if (!len)
> + if (!l_dbus_message_iter_get_fixed_array(&iter_data, &data, &len)
> ||
> + !len || len >
> MESH_MAX_ACCESS_PAYLOAD)
> return dbus_error(msg, MESH_ERROR_INVALID_ARGS,
> - "Mesh message is empty");
> + "Incorrect data");
>
> vendor_mod_id = (vendor << 16) | model_id;
> result = mesh_model_publish(node, vendor_mod_id, src, @@ -
> 1686,7 +1686,7 @@ static void setup_node_interface(struct l_dbus_interface
> *iface)
> "", "oqqay", "element_path",
> "vendor", "model_id",
> "data");
>
> - /*TODO: Properties */
> + /* TODO: Properties */
> }
>
> bool node_dbus_init(struct l_dbus *bus)
> --
> 2.17.2