diff options
Diffstat (limited to 'rpc_server.c')
| -rw-r--r-- | rpc_server.c | 48 |
1 files changed, 34 insertions, 14 deletions
diff --git a/rpc_server.c b/rpc_server.c index 5a06e37..9598413 100644 --- a/rpc_server.c +++ b/rpc_server.c @@ -35,7 +35,6 @@ #include "hal.h" #include "hal_internal.h" #include "xdr_internal.h" -#include "hashsig.h" /* * RPC calls. @@ -68,7 +67,7 @@ static hal_error_t get_random(const uint8_t **iptr, const uint8_t * const ilimit check(hal_xdr_decode_int(iptr, ilimit, &length)); /* sanity check length */ - if (length == 0 || length > (uint32_t)(olimit - *optr - nargs(1))) + if (nargs(1) + pad(length) > (uint32_t)(olimit - *optr)) return HAL_ERROR_RPC_PACKET_OVERFLOW; /* get the data directly into the output buffer */ @@ -168,13 +167,19 @@ static hal_error_t hash_get_digest_algorithm_id(const uint8_t **iptr, const uint check(hal_xdr_decode_int(iptr, ilimit, &alg)); check(hal_xdr_decode_int(iptr, ilimit, &len_max)); /* sanity check len_max */ - if (len_max > (uint32_t)(olimit - *optr - nargs(1))) + if (nargs(1) + pad(len_max) > (uint32_t)(olimit - *optr)) return HAL_ERROR_RPC_PACKET_OVERFLOW; - /* get the data directly into the output buffer */ - if ((err = hal_rpc_hash_get_digest_algorithm_id(alg, *optr + nargs(1), &len, (size_t)len_max)) == HAL_OK) { - check(hal_xdr_encode_int(optr, olimit, len)); - *optr += pad(len); + if (len_max == 0) { + if ((err = hal_rpc_hash_get_digest_algorithm_id(alg, NULL, &len, 0)) == HAL_OK) + check(hal_xdr_encode_int(optr, olimit, len)); + } + else { + /* get the data directly into the output buffer */ + if ((err = hal_rpc_hash_get_digest_algorithm_id(alg, *optr + nargs(1), &len, (size_t)len_max)) == HAL_OK) { + check(hal_xdr_encode_int(optr, olimit, len)); + *optr += pad(len); + } } return err; @@ -210,6 +215,8 @@ static hal_error_t hash_initialize(const uint8_t **iptr, const uint8_t * const i check(hal_xdr_decode_int(iptr, ilimit, &session.handle)); check(hal_xdr_decode_int(iptr, ilimit, &alg)); check(hal_xdr_decode_variable_opaque_ptr(iptr, ilimit, &key, &key_len)); + if (key_len == 0) + key = NULL; check(hal_rpc_hash_initialize(client, session, &hash, (hal_digest_algorithm_t)alg, key, (size_t)key_len)); @@ -245,7 +252,7 @@ static hal_error_t hash_finalize(const uint8_t **iptr, const uint8_t * const ili check(hal_xdr_decode_int(iptr, ilimit, &hash.handle)); check(hal_xdr_decode_int(iptr, ilimit, &length)); /* sanity check length */ - if (length > (uint32_t)(olimit - *optr - nargs(1))) + if (nargs(1) + pad(length) > (uint32_t)(olimit - *optr)) return HAL_ERROR_RPC_PACKET_OVERFLOW; /* get the data directly into the output buffer */ @@ -493,7 +500,7 @@ static hal_error_t pkey_get_public_key(const uint8_t **iptr, const uint8_t * con check(hal_xdr_decode_int(iptr, ilimit, &pkey.handle)); check(hal_xdr_decode_int(iptr, ilimit, &len_max)); /* sanity check len_max */ - if (len_max > (uint32_t)(olimit - *optr - nargs(1))) + if (nargs(1) + pad(len_max) > (uint32_t)(olimit - *optr)) return HAL_ERROR_RPC_PACKET_OVERFLOW; /* get the data directly into the output buffer */ @@ -523,7 +530,7 @@ static hal_error_t pkey_sign(const uint8_t **iptr, const uint8_t * const ilimit, check(hal_xdr_decode_variable_opaque_ptr(iptr, ilimit, &input, &input_len)); check(hal_xdr_decode_int(iptr, ilimit, &sig_max)); /* sanity check sig_max */ - if (sig_max > (uint32_t)(olimit - *optr - nargs(1))) + if (nargs(1) + pad(sig_max) > (uint32_t)(olimit - *optr)) return HAL_ERROR_RPC_PACKET_OVERFLOW; /* get the data directly into the output buffer */ @@ -576,6 +583,9 @@ static hal_error_t pkey_match(const uint8_t **iptr, const uint8_t * const ilimit check(hal_xdr_decode_int(iptr, ilimit, &flags)); check(hal_xdr_decode_int(iptr, ilimit, &attributes_len)); + if (nargs(2 * attributes_len) > (uint32_t)(ilimit - *iptr)) + return HAL_ERROR_RPC_PACKET_OVERFLOW; + hal_pkey_attribute_t attributes[attributes_len > 0 ? attributes_len : 1]; for (size_t i = 0; i < attributes_len; i++) { @@ -597,6 +607,9 @@ static hal_error_t pkey_match(const uint8_t **iptr, const uint8_t * const ilimit const hal_uuid_t * const previous_uuid = (const void *) previous_uuid_ptr; + if (nargs(2) + result_max * (nargs(1) + sizeof(hal_uuid_t)) > (uint32_t)(olimit - *optr)) + return HAL_ERROR_RPC_PACKET_OVERFLOW; + hal_uuid_t result[result_max]; unsigned result_len, ustate = state; @@ -628,6 +641,9 @@ static hal_error_t pkey_set_attributes(const uint8_t **iptr, const uint8_t * con check(hal_xdr_decode_int(iptr, ilimit, &pkey.handle)); check(hal_xdr_decode_int(iptr, ilimit, &attributes_len)); + if (nargs(2 * attributes_len) > (uint32_t)(ilimit - *iptr)) + return HAL_ERROR_RPC_PACKET_OVERFLOW; + hal_pkey_attribute_t attributes[attributes_len > 0 ? attributes_len : 1]; for (size_t i = 0; i < attributes_len; i++) { @@ -656,7 +672,7 @@ static hal_error_t pkey_get_attributes(const uint8_t **iptr, const uint8_t * con { hal_client_handle_t client; hal_pkey_handle_t pkey; - uint32_t attributes_len, u32; + uint32_t attributes_len, attributes_buffer_len; uint8_t *optr_orig = *optr; hal_error_t err; @@ -664,14 +680,15 @@ static hal_error_t pkey_get_attributes(const uint8_t **iptr, const uint8_t * con check(hal_xdr_decode_int(iptr, ilimit, &pkey.handle)); check(hal_xdr_decode_int(iptr, ilimit, &attributes_len)); + if (nargs(1 + attributes_len) > (uint32_t)(ilimit - *iptr)) + return HAL_ERROR_RPC_PACKET_OVERFLOW; + hal_pkey_attribute_t attributes[attributes_len > 0 ? attributes_len : 1]; for (size_t i = 0; i < attributes_len; i++) check(hal_xdr_decode_int(iptr, ilimit, &attributes[i].type)); - check(hal_xdr_decode_int(iptr, ilimit, &u32)); - - const size_t attributes_buffer_len = u32; + check(hal_xdr_decode_int(iptr, ilimit, &attributes_buffer_len)); if (nargs(1 + 2 * attributes_len) + attributes_buffer_len > (uint32_t)(olimit - *optr)) return HAL_ERROR_RPC_PACKET_OVERFLOW; @@ -715,6 +732,9 @@ static hal_error_t pkey_export(const uint8_t **iptr, const uint8_t * const ilimi check(hal_xdr_decode_int(iptr, ilimit, &pkcs8_max)); check(hal_xdr_decode_int(iptr, ilimit, &kek_max)); + if (nargs(2) + pad(pkcs8_max) + pad(kek_max) > (uint32_t)(olimit - *optr)) + return HAL_ERROR_RPC_PACKET_OVERFLOW; + uint8_t pkcs8[pkcs8_max], kek[kek_max]; check(hal_rpc_pkey_export(pkey, kekek, pkcs8, &pkcs8_len, sizeof(pkcs8), kek, &kek_len, sizeof(kek))); |