introduce more message parsing checks

These checks may provide hints for Coverity.
author: Sree Harsha Totakura <totakura@in.tum.de> 2016-07-07 08:55:26 +0000
committer: Sree Harsha Totakura <totakura@in.tum.de> 2016-07-07 08:55:26 +0000
commit: ea7bfd24c3f394ee60a1f02d358c7ba88e05447c (patch)
tree: 387b62b1bbf0f959b5df8bc52cb6d8630987ed5e /src/testbed/testbed_api.c
parent: aeece360025012e270a30d4cd174a60fca30af38 (diff)
download: gnunet-ea7bfd24c3f394ee60a1f02d358c7ba88e05447c.tar.gz
gnunet-ea7bfd24c3f394ee60a1f02d358c7ba88e05447c.zip
1 files changed, 30 insertions, 3 deletions
diff --git a/src/testbed/testbed_api.c b/src/testbed/testbed_api.c
index 7c0ed1f02..6fec82ab2 100644
--- a/src/testbed/testbed_api.c
+++ b/src/testbed/testbed_api.c
@@ -1242,16 +1242,43 @@ handle_barrier_status (void *cls,
  emsg = NULL;
  barrier = NULL;
  msize = ntohs (msg->header.size);
+  if (msize <= sizeof (struct GNUNET_TESTBED_BarrierStatusMsg))
+  {
+    GNUNET_break_op (0);
+    goto cleanup;
+  }
  name = msg->data;
  name_len = ntohs (msg->name_len);
+  if (name_len >=  //name_len is strlen(barrier_name)
+      (msize - ((sizeof msg->header) + sizeof (msg->status)) )   )
+  {
+    GNUNET_break_op (0);
+    goto cleanup;
+  }
+  if ('\0' != name[name_len])
+  {
+    GNUNET_break_op (0);
+    goto cleanup;
+  }
  LOG_DEBUG ("Received BARRIER_STATUS msg\n");
  status = ntohs (msg->status);
  if (GNUNET_TESTBED_BARRIERSTATUS_ERROR == status)
  {
    status = -1;
-    emsg_len = msize - (sizeof (struct GNUNET_TESTBED_BarrierStatusMsg) + name_len
+    //unlike name_len, emsg_len includes the trailing zero
-                        + 1);
+    emsg_len = msize - (sizeof (struct GNUNET_TESTBED_BarrierStatusMsg)
-    emsg = GNUNET_malloc (emsg_len + 1);
+                        + (name_len + 1));
+    if (0 == emsg_len)
+    {
+      GNUNET_break_op (0);
+      goto cleanup;
+    }
+    if ('\0' != (msg->data[(name_len + 1) + (emsg_len - 1)]))
+    {
+      GNUNET_break_op (0);
+      goto cleanup;
+    }
+    emsg = GNUNET_malloc (emsg_len);
    memcpy (emsg,
            msg->data + name_len + 1,
            emsg_len);
author	Sree Harsha Totakura <totakura@in.tum.de>	2016-07-07 08:55:26 +0000
committer	Sree Harsha Totakura <totakura@in.tum.de>	2016-07-07 08:55:26 +0000
commit	ea7bfd24c3f394ee60a1f02d358c7ba88e05447c (patch)
tree	387b62b1bbf0f959b5df8bc52cb6d8630987ed5e /src/testbed/testbed_api.c
parent	aeece360025012e270a30d4cd174a60fca30af38 (diff)
download	gnunet-ea7bfd24c3f394ee60a1f02d358c7ba88e05447c.tar.gz gnunet-ea7bfd24c3f394ee60a1f02d358c7ba88e05447c.zip

diff --git a/src/testbed/testbed_api.c b/src/testbed/testbed_api.c index 7c0ed1f02..6fec82ab2 100644 --- a/src/testbed/testbed_api.c +++ b/src/testbed/testbed_api.c
@@ -1242,16 +1242,43 @@ handle_barrier_status (void *cls,
1242	emsg = NULL;	1242	emsg = NULL;
1243	barrier = NULL;	1243	barrier = NULL;
1244	msize = ntohs (msg->header.size);	1244	msize = ntohs (msg->header.size);
		1245	if (msize <= sizeof (struct GNUNET_TESTBED_BarrierStatusMsg))
		1246	{
		1247	GNUNET_break_op (0);
		1248	goto cleanup;
		1249	}
1245	name = msg->data;	1250	name = msg->data;
1246	name_len = ntohs (msg->name_len);	1251	name_len = ntohs (msg->name_len);
		1252	if (name_len >= //name_len is strlen(barrier_name)
		1253	(msize - ((sizeof msg->header) + sizeof (msg->status)) ) )
		1254	{
		1255	GNUNET_break_op (0);
		1256	goto cleanup;
		1257	}
		1258	if ('\0' != name[name_len])
		1259	{
		1260	GNUNET_break_op (0);
		1261	goto cleanup;
		1262	}
1247	LOG_DEBUG ("Received BARRIER_STATUS msg\n");	1263	LOG_DEBUG ("Received BARRIER_STATUS msg\n");
1248	status = ntohs (msg->status);	1264	status = ntohs (msg->status);
1249	if (GNUNET_TESTBED_BARRIERSTATUS_ERROR == status)	1265	if (GNUNET_TESTBED_BARRIERSTATUS_ERROR == status)
1250	{	1266	{
1251	status = -1;	1267	status = -1;
1252	emsg_len = msize - (sizeof (struct GNUNET_TESTBED_BarrierStatusMsg) + name_len	1268	//unlike name_len, emsg_len includes the trailing zero
1253	+ 1);	1269	emsg_len = msize - (sizeof (struct GNUNET_TESTBED_BarrierStatusMsg)
1254	emsg = GNUNET_malloc (emsg_len + 1);	1270	+ (name_len + 1));
		1271	if (0 == emsg_len)
		1272	{
		1273	GNUNET_break_op (0);
		1274	goto cleanup;
		1275	}
		1276	if ('\0' != (msg->data[(name_len + 1) + (emsg_len - 1)]))
		1277	{
		1278	GNUNET_break_op (0);
		1279	goto cleanup;
		1280	}
		1281	emsg = GNUNET_malloc (emsg_len);
1255	memcpy (emsg,	1282	memcpy (emsg,
1256	msg->data + name_len + 1,	1283	msg->data + name_len + 1,
1257	emsg_len);	1284	emsg_len);