static void
randomly_set_extreme_ints (const DBusString *orig_data,
DBusString *mutated)
{
int i;
int byte_order;
const char *d;
dbus_uint32_t orig;
static int which = 0;
unsigned int extreme_ints[] = {
_DBUS_INT_MAX,
_DBUS_UINT_MAX,
_DBUS_INT_MAX - 1,
_DBUS_UINT_MAX - 1,
_DBUS_INT_MAX - 2,
_DBUS_UINT_MAX - 2,
_DBUS_INT_MAX - 17,
_DBUS_UINT_MAX - 17,
_DBUS_INT_MAX / 2,
_DBUS_INT_MAX / 3,
_DBUS_UINT_MAX / 2,
_DBUS_UINT_MAX / 3,
0, 1, 2, 3,
(unsigned int) -1,
(unsigned int) -2,
(unsigned int) -3
};
if (orig_data != mutated)
{
_dbus_string_set_length (mutated, 0);
if (!_dbus_string_copy (orig_data, 0, mutated, 0))
_dbus_assert_not_reached ("out of mem");
}
if (_dbus_string_get_length (mutated) < 12)
return;
d = _dbus_string_get_const_data (mutated);
if (!(*d == DBUS_LITTLE_ENDIAN ||
*d == DBUS_BIG_ENDIAN))
return;
byte_order = *d;
i = random_int_in_range (4, _dbus_string_get_length (mutated) - 8);
i = _DBUS_ALIGN_VALUE (i, 4);
orig = _dbus_demarshal_uint32 (mutated, byte_order, i, NULL);
which = random_int_in_range (0, _DBUS_N_ELEMENTS (extreme_ints));
_dbus_assert (which >= 0);
_dbus_assert (which < _DBUS_N_ELEMENTS (extreme_ints));
_dbus_marshal_set_uint32 (mutated, byte_order, i,
extreme_ints[which]);
}
/**
* Creates a new memory pool, or returns #NULL on failure. Objects in
* the pool must be at least sizeof(void*) bytes each, due to the way
* memory pools work. To avoid creating 64 bit problems, this means at
* least 8 bytes on all platforms, unless you are 4 bytes on 32-bit
* and 8 bytes on 64-bit.
*
* @param element_size size of an element allocated from the pool.
* @param zero_elements whether to zero-initialize elements
* @returns the new pool or #NULL
*/
DBusMemPool*
_dbus_mem_pool_new (int element_size,
dbus_bool_t zero_elements)
{
DBusMemPool *pool;
pool = dbus_new0 (DBusMemPool, 1);
if (pool == NULL)
return NULL;
/* Make the element size at least 8 bytes. */
if (element_size < 8)
element_size = 8;
/* these assertions are equivalent but the first is more clear
* to programmers that see it fail.
*/
_dbus_assert (element_size >= (int) sizeof (void*));
_dbus_assert (element_size >= (int) sizeof (DBusFreedElement));
/* align the element size to a pointer boundary so we won't get bus
* errors under other architectures.
*/
pool->element_size = _DBUS_ALIGN_VALUE (element_size, sizeof (void *));
pool->zero_elements = zero_elements != FALSE;
pool->allocated_elements = 0;
/* pick a size for the first block; it increases
* for each block we need to allocate. This is
* actually half the initial block size
* since _dbus_mem_pool_alloc() unconditionally
* doubles it prior to creating a new block. */
pool->block_size = pool->element_size * 8;
_dbus_assert ((pool->block_size %
pool->element_size) == 0);
return pool;
}
static void
randomly_modify_length (const DBusString *orig_data,
DBusString *mutated)
{
int i;
int byte_order;
const char *d;
dbus_uint32_t orig;
int delta;
if (orig_data != mutated)
{
_dbus_string_set_length (mutated, 0);
if (!_dbus_string_copy (orig_data, 0, mutated, 0))
_dbus_assert_not_reached ("out of mem");
}
if (_dbus_string_get_length (mutated) < 12)
return;
d = _dbus_string_get_const_data (mutated);
if (!(*d == DBUS_LITTLE_ENDIAN ||
*d == DBUS_BIG_ENDIAN))
return;
byte_order = *d;
i = random_int_in_range (4, _dbus_string_get_length (mutated) - 8);
i = _DBUS_ALIGN_VALUE (i, 4);
orig = _dbus_demarshal_uint32 (mutated, byte_order, i, NULL);
delta = random_int_in_range (-10, 10);
_dbus_marshal_set_uint32 (mutated, byte_order, i,
(unsigned) (orig + delta));
}
static dbus_bool_t
generate_uint32_changed (DBusMessageDataIter *iter,
DBusString *data,
DBusValidity *expected_validity)
{
int body_seq;
int byte_seq;
int change_seq;
dbus_uint32_t v_UINT32;
int byte_order;
const UIntChange *change;
int base_depth;
/* Outer loop is each body, next loop is each change,
* inner loop is each change location
*/
base_depth = iter->depth;
next_body:
_dbus_assert (iter->depth == (base_depth + 0));
_dbus_string_set_length (data, 0);
body_seq = iter_get_sequence (iter);
if (!generate_many_bodies (iter, data, expected_validity))
return FALSE;
_dbus_assert (iter->depth == (base_depth + 0));
iter_set_sequence (iter, body_seq); /* undo the "next" from generate_many_bodies */
iter_recurse (iter);
next_change:
_dbus_assert (iter->depth == (base_depth + 1));
change_seq = iter_get_sequence (iter);
if (change_seq == _DBUS_N_ELEMENTS (uint32_changes))
{
/* Reset change count */
iter_set_sequence (iter, 0);
iter_unrecurse (iter);
iter_next (iter);
goto next_body;
}
_dbus_assert (iter->depth == (base_depth + 1));
iter_recurse (iter);
_dbus_assert (iter->depth == (base_depth + 2));
byte_seq = iter_get_sequence (iter);
/* skip 4 bytes at a time */
iter_next (iter);
iter_next (iter);
iter_next (iter);
iter_next (iter);
iter_unrecurse (iter);
_dbus_assert (_DBUS_ALIGN_VALUE (byte_seq, 4) == (unsigned) byte_seq);
if (byte_seq >= (_dbus_string_get_length (data) - 4))
{
/* reset byte count */
_dbus_assert (iter->depth == (base_depth + 1));
iter_recurse (iter);
_dbus_assert (iter->depth == (base_depth + 2));
iter_set_sequence (iter, 0);
iter_unrecurse (iter);
_dbus_assert (iter->depth == (base_depth + 1));
iter_next (iter);
goto next_change;
}
_dbus_assert (byte_seq <= (_dbus_string_get_length (data) - 4));
byte_order = _dbus_string_get_byte (data, BYTE_ORDER_OFFSET);
v_UINT32 = _dbus_marshal_read_uint32 (data, byte_seq, byte_order, NULL);
change = &uint32_changes[change_seq];
if (change->type == CHANGE_TYPE_ADJUST)
{
v_UINT32 += (int) change->value;
}
else
{
v_UINT32 = change->value;
}
#if 0
printf ("body %d change %d pos %d ",
body_seq, change_seq, byte_seq);
if (change->type == CHANGE_TYPE_ADJUST)
printf ("adjust by %d", (int) change->value);
else
printf ("set to %u", change->value);
printf (" \t%u -> %u\n",
_dbus_marshal_read_uint32 (data, byte_seq, byte_order, NULL),
v_UINT32);
#endif
_dbus_marshal_set_uint32 (data, byte_seq, v_UINT32, byte_order);
*expected_validity = DBUS_VALIDITY_UNKNOWN;
_dbus_assert (iter->depth == (base_depth + 1));
iter_unrecurse (iter);
_dbus_assert (iter->depth == (base_depth + 0));
return TRUE;
}
/**
* Creates a message header from potentially-untrusted data. The
* return value is #TRUE if there was enough memory and the data was
* valid. If it returns #TRUE, the header will be created. If it
* returns #FALSE and *validity == #DBUS_VALIDITY_UNKNOWN_OOM_ERROR,
* then there wasn't enough memory. If it returns #FALSE
* and *validity != #DBUS_VALIDITY_UNKNOWN_OOM_ERROR then the data was
* invalid.
*
* The byte_order, fields_array_len, and body_len args should be from
* _dbus_header_have_message_untrusted(). Validation performed in
* _dbus_header_have_message_untrusted() is assumed to have been
* already done.
*
* @param header the header (must be initialized)
* @param mode whether to do validation
* @param validity return location for invalidity reason
* @param byte_order byte order from header
* @param fields_array_len claimed length of fields array
* @param body_len claimed length of body
* @param header_len claimed length of header
* @param str a string
* @param start start of header, 8-aligned
* @param len length of string to look at
* @returns #FALSE if no memory or data was invalid, #TRUE otherwise
*/
dbus_bool_t
_dbus_header_load (DBusHeader *header,
DBusValidationMode mode,
DBusValidity *validity,
int byte_order,
int fields_array_len,
int header_len,
int body_len,
const DBusString *str,
int start,
int len)
{
int leftover;
DBusValidity v;
DBusTypeReader reader;
DBusTypeReader array_reader;
unsigned char v_byte;
dbus_uint32_t v_uint32;
dbus_uint32_t serial;
int padding_start;
int padding_len;
int i;
_dbus_assert (start == (int) _DBUS_ALIGN_VALUE (start, 8));
_dbus_assert (header_len <= len);
_dbus_assert (_dbus_string_get_length (&header->data) == 0);
if (!_dbus_string_copy_len (str, start, header_len, &header->data, 0))
{
_dbus_verbose ("Failed to copy buffer into new header\n");
*validity = DBUS_VALIDITY_UNKNOWN_OOM_ERROR;
return FALSE;
}
if (mode == DBUS_VALIDATION_MODE_WE_TRUST_THIS_DATA_ABSOLUTELY)
{
leftover = len - header_len - body_len - start;
}
else
{
v = _dbus_validate_body_with_reason (&_dbus_header_signature_str, 0,
byte_order,
&leftover,
str, start, len);
if (v != DBUS_VALID)
{
*validity = v;
goto invalid;
}
}
_dbus_assert (leftover < len);
padding_len = header_len - (FIRST_FIELD_OFFSET + fields_array_len);
padding_start = start + FIRST_FIELD_OFFSET + fields_array_len;
_dbus_assert (start + header_len == (int) _DBUS_ALIGN_VALUE (padding_start, 8));
_dbus_assert (start + header_len == padding_start + padding_len);
if (mode != DBUS_VALIDATION_MODE_WE_TRUST_THIS_DATA_ABSOLUTELY)
{
if (!_dbus_string_validate_nul (str, padding_start, padding_len))
{
*validity = DBUS_INVALID_ALIGNMENT_PADDING_NOT_NUL;
goto invalid;
}
}
header->padding = padding_len;
if (mode == DBUS_VALIDATION_MODE_WE_TRUST_THIS_DATA_ABSOLUTELY)
{
*validity = DBUS_VALID;
return TRUE;
}
/* We now know the data is well-formed, but we have to check that
* it's valid.
*/
_dbus_type_reader_init (&reader,
byte_order,
&_dbus_header_signature_str, 0,
str, start);
/* BYTE ORDER */
_dbus_assert (_dbus_type_reader_get_current_type (&reader) == DBUS_TYPE_BYTE);
_dbus_assert (_dbus_type_reader_get_value_pos (&reader) == BYTE_ORDER_OFFSET);
_dbus_type_reader_read_basic (&reader, &v_byte);
_dbus_type_reader_next (&reader);
_dbus_assert (v_byte == byte_order);
header->byte_order = byte_order;
/* MESSAGE TYPE */
_dbus_assert (_dbus_type_reader_get_current_type (&reader) == DBUS_TYPE_BYTE);
_dbus_assert (_dbus_type_reader_get_value_pos (&reader) == TYPE_OFFSET);
_dbus_type_reader_read_basic (&reader, &v_byte);
_dbus_type_reader_next (&reader);
/* unknown message types are supposed to be ignored, so only validation here is
* that it isn't invalid
*/
if (v_byte == DBUS_MESSAGE_TYPE_INVALID)
{
*validity = DBUS_INVALID_BAD_MESSAGE_TYPE;
goto invalid;
}
/* FLAGS */
_dbus_assert (_dbus_type_reader_get_current_type (&reader) == DBUS_TYPE_BYTE);
_dbus_assert (_dbus_type_reader_get_value_pos (&reader) == FLAGS_OFFSET);
_dbus_type_reader_read_basic (&reader, &v_byte);
_dbus_type_reader_next (&reader);
/* unknown flags should be ignored */
/* PROTOCOL VERSION */
_dbus_assert (_dbus_type_reader_get_current_type (&reader) == DBUS_TYPE_BYTE);
_dbus_assert (_dbus_type_reader_get_value_pos (&reader) == VERSION_OFFSET);
_dbus_type_reader_read_basic (&reader, &v_byte);
_dbus_type_reader_next (&reader);
if (v_byte != DBUS_MAJOR_PROTOCOL_VERSION)
{
*validity = DBUS_INVALID_BAD_PROTOCOL_VERSION;
goto invalid;
}
/* BODY LENGTH */
_dbus_assert (_dbus_type_reader_get_current_type (&reader) == DBUS_TYPE_UINT32);
_dbus_assert (_dbus_type_reader_get_value_pos (&reader) == BODY_LENGTH_OFFSET);
_dbus_type_reader_read_basic (&reader, &v_uint32);
_dbus_type_reader_next (&reader);
_dbus_assert (body_len == (signed) v_uint32);
/* SERIAL */
_dbus_assert (_dbus_type_reader_get_current_type (&reader) == DBUS_TYPE_UINT32);
_dbus_assert (_dbus_type_reader_get_value_pos (&reader) == SERIAL_OFFSET);
_dbus_type_reader_read_basic (&reader, &serial);
_dbus_type_reader_next (&reader);
if (serial == 0)
{
*validity = DBUS_INVALID_BAD_SERIAL;
goto invalid;
}
_dbus_assert (_dbus_type_reader_get_current_type (&reader) == DBUS_TYPE_ARRAY);
_dbus_assert (_dbus_type_reader_get_value_pos (&reader) == FIELDS_ARRAY_LENGTH_OFFSET);
_dbus_type_reader_recurse (&reader, &array_reader);
while (_dbus_type_reader_get_current_type (&array_reader) != DBUS_TYPE_INVALID)
{
DBusTypeReader struct_reader;
DBusTypeReader variant_reader;
unsigned char field_code;
_dbus_assert (_dbus_type_reader_get_current_type (&array_reader) == DBUS_TYPE_STRUCT);
_dbus_type_reader_recurse (&array_reader, &struct_reader);
_dbus_assert (_dbus_type_reader_get_current_type (&struct_reader) == DBUS_TYPE_BYTE);
_dbus_type_reader_read_basic (&struct_reader, &field_code);
_dbus_type_reader_next (&struct_reader);
if (field_code == DBUS_HEADER_FIELD_INVALID)
{
_dbus_verbose ("invalid header field code\n");
*validity = DBUS_INVALID_HEADER_FIELD_CODE;
goto invalid;
}
if (field_code > DBUS_HEADER_FIELD_LAST)
{
_dbus_verbose ("unknown header field code %d, skipping\n",
field_code);
goto next_field;
}
_dbus_assert (_dbus_type_reader_get_current_type (&struct_reader) == DBUS_TYPE_VARIANT);
_dbus_type_reader_recurse (&struct_reader, &variant_reader);
v = load_and_validate_field (header, field_code, &variant_reader);
if (v != DBUS_VALID)
{
_dbus_verbose ("Field %d was invalid\n", field_code);
*validity = v;
goto invalid;
}
next_field:
_dbus_type_reader_next (&array_reader);
}
/* Anything we didn't fill in is now known not to exist */
i = 0;
while (i <= DBUS_HEADER_FIELD_LAST)
{
if (header->fields[i].value_pos == _DBUS_HEADER_FIELD_VALUE_UNKNOWN)
header->fields[i].value_pos = _DBUS_HEADER_FIELD_VALUE_NONEXISTENT;
++i;
}
v = check_mandatory_fields (header);
if (v != DBUS_VALID)
{
_dbus_verbose ("Mandatory fields were missing, code %d\n", v);
*validity = v;
goto invalid;
}
*validity = DBUS_VALID;
return TRUE;
invalid:
_dbus_string_set_length (&header->data, 0);
return FALSE;
}
static DBusValidity
load_and_validate_field (DBusHeader *header,
int field,
DBusTypeReader *variant_reader)
{
int type;
int expected_type;
const DBusString *value_str;
int value_pos;
int str_data_pos;
dbus_uint32_t v_UINT32;
int bad_string_code;
dbus_bool_t (* string_validation_func) (const DBusString *str,
int start, int len);
/* Supposed to have been checked already */
_dbus_assert (field <= DBUS_HEADER_FIELD_LAST);
_dbus_assert (field != DBUS_HEADER_FIELD_INVALID);
/* Before we can cache a field, we need to know it has the right type */
type = _dbus_type_reader_get_current_type (variant_reader);
_dbus_assert (_dbus_header_field_types[field].code == field);
expected_type = EXPECTED_TYPE_OF_FIELD (field);
if (type != expected_type)
{
_dbus_verbose ("Field %d should have type %d but has %d\n",
field, expected_type, type);
return DBUS_INVALID_HEADER_FIELD_HAS_WRONG_TYPE;
}
/* If the field was provided twice, we aren't happy */
if (header->fields[field].value_pos >= 0)
{
_dbus_verbose ("Header field %d seen a second time\n", field);
return DBUS_INVALID_HEADER_FIELD_APPEARS_TWICE;
}
/* Now we can cache and look at the field content */
_dbus_verbose ("initially caching field %d\n", field);
_dbus_header_cache_one (header, field, variant_reader);
string_validation_func = NULL;
/* make compiler happy that all this is initialized */
v_UINT32 = 0;
value_str = NULL;
value_pos = -1;
str_data_pos = -1;
bad_string_code = DBUS_VALID;
if (expected_type == DBUS_TYPE_UINT32)
{
_dbus_header_get_field_basic (header, field, expected_type,
&v_UINT32);
}
else if (expected_type == DBUS_TYPE_STRING ||
expected_type == DBUS_TYPE_OBJECT_PATH ||
expected_type == DBUS_TYPE_SIGNATURE)
{
_dbus_header_get_field_raw (header, field,
&value_str, &value_pos);
str_data_pos = _DBUS_ALIGN_VALUE (value_pos, 4) + 4;
}
else
{
_dbus_assert_not_reached ("none of the known fields should have this type");
}
switch (field)
{
case DBUS_HEADER_FIELD_DESTINATION:
string_validation_func = _dbus_validate_bus_name;
bad_string_code = DBUS_INVALID_BAD_DESTINATION;
break;
case DBUS_HEADER_FIELD_INTERFACE:
string_validation_func = _dbus_validate_interface;
bad_string_code = DBUS_INVALID_BAD_INTERFACE;
if (_dbus_string_equal_substring (&_dbus_local_interface_str,
0,
_dbus_string_get_length (&_dbus_local_interface_str),
value_str, str_data_pos))
{
_dbus_verbose ("Message is on the local interface\n");
return DBUS_INVALID_USES_LOCAL_INTERFACE;
}
break;
case DBUS_HEADER_FIELD_MEMBER:
string_validation_func = _dbus_validate_member;
bad_string_code = DBUS_INVALID_BAD_MEMBER;
break;
case DBUS_HEADER_FIELD_ERROR_NAME:
string_validation_func = _dbus_validate_error_name;
bad_string_code = DBUS_INVALID_BAD_ERROR_NAME;
break;
case DBUS_HEADER_FIELD_SENDER:
string_validation_func = _dbus_validate_bus_name;
bad_string_code = DBUS_INVALID_BAD_SENDER;
break;
case DBUS_HEADER_FIELD_PATH:
/* OBJECT_PATH was validated generically due to its type */
string_validation_func = NULL;
if (_dbus_string_equal_substring (&_dbus_local_path_str,
0,
_dbus_string_get_length (&_dbus_local_path_str),
value_str, str_data_pos))
{
_dbus_verbose ("Message is from the local path\n");
return DBUS_INVALID_USES_LOCAL_PATH;
}
break;
case DBUS_HEADER_FIELD_REPLY_SERIAL:
/* Can't be 0 */
if (v_UINT32 == 0)
{
return DBUS_INVALID_BAD_SERIAL;
}
break;
case DBUS_HEADER_FIELD_SIGNATURE:
/* SIGNATURE validated generically due to its type */
string_validation_func = NULL;
break;
default:
_dbus_assert_not_reached ("unknown field shouldn't be seen here");
break;
}
if (string_validation_func)
{
dbus_uint32_t len;
_dbus_assert (bad_string_code != DBUS_VALID);
len = _dbus_marshal_read_uint32 (value_str, value_pos,
header->byte_order, NULL);
#if 0
_dbus_verbose ("Validating string header field; code %d if fails\n",
bad_string_code);
#endif
if (!(*string_validation_func) (value_str, str_data_pos, len))
return bad_string_code;
}
return DBUS_VALID;
}
/**
* Given data long enough to contain the length of the message body
* and the fields array, check whether the data is long enough to
* contain the entire message (assuming the claimed lengths are
* accurate). Also checks that the lengths are in sanity parameters.
*
* @param max_message_length maximum length of a valid message
* @param validity return location for why the data is invalid if it is
* @param byte_order return location for byte order
* @param fields_array_len return location for claimed fields array length
* @param header_len return location for claimed header length
* @param body_len return location for claimed body length
* @param str the data
* @param start start of data, 8-aligned
* @param len length of data
* @returns #TRUE if the data is long enough for the claimed length, and the lengths were valid
*/
dbus_bool_t
_dbus_header_have_message_untrusted (int max_message_length,
DBusValidity *validity,
int *byte_order,
int *fields_array_len,
int *header_len,
int *body_len,
const DBusString *str,
int start,
int len)
{
dbus_uint32_t header_len_unsigned;
dbus_uint32_t fields_array_len_unsigned;
dbus_uint32_t body_len_unsigned;
_dbus_assert (start >= 0);
_dbus_assert (start < _DBUS_INT32_MAX / 2);
_dbus_assert (len >= 0);
_dbus_assert (start == (int) _DBUS_ALIGN_VALUE (start, 8));
*byte_order = _dbus_string_get_byte (str, start + BYTE_ORDER_OFFSET);
if (*byte_order != DBUS_LITTLE_ENDIAN && *byte_order != DBUS_BIG_ENDIAN)
{
*validity = DBUS_INVALID_BAD_BYTE_ORDER;
return FALSE;
}
_dbus_assert (FIELDS_ARRAY_LENGTH_OFFSET + 4 <= len);
fields_array_len_unsigned = _dbus_marshal_read_uint32 (str, start + FIELDS_ARRAY_LENGTH_OFFSET,
*byte_order, NULL);
if (fields_array_len_unsigned > (unsigned) max_message_length)
{
*validity = DBUS_INVALID_INSANE_FIELDS_ARRAY_LENGTH;
return FALSE;
}
_dbus_assert (BODY_LENGTH_OFFSET + 4 < len);
body_len_unsigned = _dbus_marshal_read_uint32 (str, start + BODY_LENGTH_OFFSET,
*byte_order, NULL);
if (body_len_unsigned > (unsigned) max_message_length)
{
*validity = DBUS_INVALID_INSANE_BODY_LENGTH;
return FALSE;
}
header_len_unsigned = FIRST_FIELD_OFFSET + fields_array_len_unsigned;
header_len_unsigned = _DBUS_ALIGN_VALUE (header_len_unsigned, 8);
/* overflow should be impossible since the lengths aren't allowed to
* be huge.
*/
_dbus_assert (max_message_length < _DBUS_INT32_MAX / 2);
if (body_len_unsigned + header_len_unsigned > (unsigned) max_message_length)
{
*validity = DBUS_INVALID_MESSAGE_TOO_LONG;
return FALSE;
}
_dbus_assert (body_len_unsigned < (unsigned) _DBUS_INT32_MAX);
_dbus_assert (fields_array_len_unsigned < (unsigned) _DBUS_INT32_MAX);
_dbus_assert (header_len_unsigned < (unsigned) _DBUS_INT32_MAX);
*body_len = body_len_unsigned;
*fields_array_len = fields_array_len_unsigned;
*header_len = header_len_unsigned;
*validity = DBUS_VALID;
_dbus_verbose ("have %d bytes, need body %u + header %u = %u\n",
len, body_len_unsigned, header_len_unsigned,
body_len_unsigned + header_len_unsigned);
return (body_len_unsigned + header_len_unsigned) <= (unsigned) len;
}
