mirror
/
sane-project-backends
kopia lustrzana https://gitlab.com/sane-project/backends
1
0
Forkuj 0
Kod Zgłoszenia Projekty Wydania Wiki Aktywność

Merge branch '279-issue02-null-pointer-deref-epsonds_net_read' into 'master' 

Resolve "memory corruption bugs in libsane"

See merge request sane-project/backends!500
merge-requests/244/head
Olaf Meeuwissen 2020-08-01 03:45:15 +00:00
rodzic e44672cdf8 8e21bd5806
commit a277ea5ff1
3 zmienionych plików z 95 dodań i 87 usunięć
Pokaż statystyki Ściągnij plik aktualizacji Ściągnij plik porównania Expand all files Collapse all files

174
backend/epsonds-net.c
Wyświetl plik

@ -32,11 +32,12 @@
#include "sane/sanei_debug.h" #include "sane/sanei_debug.h"
static int static ssize_t
epsonds_net_read_raw(epsonds_scanner *s, unsigned char *buf, ssize_t wanted, epsonds_net_read_raw(epsonds_scanner *s, unsigned char *buf, ssize_t wanted,
SANE_Status *status) SANE_Status *status)
{ {
int ready, read = -1; int ready;
ssize_t read = -1;
fd_set readable; fd_set readable;
struct timeval tv; struct timeval tv;
@ -62,106 +63,98 @@ epsonds_net_read_raw(epsonds_scanner *s, unsigned char *buf, ssize_t wanted,
return read; return read;
} }
int static ssize_t
epsonds_net_read_buf(epsonds_scanner *s, unsigned char *buf, ssize_t wanted,
SANE_Status * status)
{
ssize_t read = 0;
DBG(23, "%s: reading up to %lu from buffer at %p, %lu available\n",
__func__, (u_long) wanted, s->netptr, (u_long) s->netlen);
if ((size_t) wanted > s->netlen) {
*status = SANE_STATUS_IO_ERROR;
wanted = s->netlen;
}
memcpy(buf, s->netptr, wanted);
read = wanted;
s->netptr += read;
s->netlen -= read;
if (s->netlen == 0) {
DBG(23, "%s: freeing %p\n", __func__, s->netbuf);
free(s->netbuf);
s->netbuf = s->netptr = NULL;
s->netlen = 0;
}
return read;
}
ssize_t
epsonds_net_read(epsonds_scanner *s, unsigned char *buf, ssize_t wanted, epsonds_net_read(epsonds_scanner *s, unsigned char *buf, ssize_t wanted,
SANE_Status * status) SANE_Status * status)
{ {
ssize_t size; if (wanted < 0) {
ssize_t read = 0; *status = SANE_STATUS_INVAL;
unsigned char header[12];
/* read from buffer, if available */
if (wanted && s->netptr != s->netbuf) {
DBG(23, "reading %lu from buffer at %p, %lu available\n",
(u_long) wanted, s->netptr, (u_long) s->netlen);
memcpy(buf, s->netptr, wanted);
read = wanted;
s->netlen -= wanted;
if (s->netlen == 0) {
DBG(23, "%s: freeing %p\n", __func__, s->netbuf);
free(s->netbuf);
s->netbuf = s->netptr = NULL;
s->netlen = 0;
}
return read;
}
/* receive net header */
size = epsonds_net_read_raw(s, header, 12, status);
if (size != 12) {
return 0; return 0;
} }
size_t size;
ssize_t read = 0;
unsigned char header[12];
/* read from remainder of buffer */
if (s->netptr) {
return epsonds_net_read_buf(s, buf, wanted, status);
}
/* receive net header */
read = epsonds_net_read_raw(s, header, 12, status);
if (read != 12) {
return 0;
}
/* validate header */
if (header[0] != 'I' || header[1] != 'S') { if (header[0] != 'I' || header[1] != 'S') {
DBG(1, "header mismatch: %02X %02x\n", header[0], header[1]); DBG(1, "header mismatch: %02X %02x\n", header[0], header[1]);
*status = SANE_STATUS_IO_ERROR; *status = SANE_STATUS_IO_ERROR;
return 0; return 0;
} }
// incoming payload size /* parse payload size */
size = be32atoh(&header[6]); size = be32atoh(&header[6]);
DBG(23, "%s: wanted = %lu, available = %lu\n", __func__,
(u_long) wanted, (u_long) size);
*status = SANE_STATUS_GOOD; *status = SANE_STATUS_GOOD;
if (size == wanted) { if (!s->netbuf) {
DBG(15, "%s: direct read\n", __func__);
DBG(23, "%s: wanted = %lu, available = %lu\n", __func__,
(u_long) wanted, (u_long) size);
DBG(15, "%s: full read\n", __func__); if ((size_t) wanted > size) {
wanted = size;
if (size) {
read = epsonds_net_read_raw(s, buf, size, status);
} }
if (s->netbuf) { read = epsonds_net_read_raw(s, buf, wanted, status);
free(s->netbuf);
s->netbuf = NULL;
s->netlen = 0;
}
if (read < 0) {
return 0;
}
} else if (wanted < size) {
DBG(23, "%s: long tail\n", __func__);
read = epsonds_net_read_raw(s, s->netbuf, size, status);
if (read != size) {
return 0;
}
memcpy(buf, s->netbuf, wanted);
read = wanted;
free(s->netbuf);
s->netbuf = NULL;
s->netlen = 0;
} else { } else {
DBG(15, "%s: buffered read\n", __func__);
DBG(23, "%s: bufferable = %lu, available = %lu\n", __func__,
(u_long) s->netlen, (u_long) size);
DBG(23, "%s: partial read\n", __func__); if (s->netlen > size) {
s->netlen = size;
read = epsonds_net_read_raw(s, s->netbuf, size, status);
if (read != size) {
return 0;
} }
s->netlen = size - wanted; /* fill buffer */
s->netptr += wanted; read = epsonds_net_read_raw(s, s->netbuf, s->netlen, status);
read = wanted; s->netptr = s->netbuf;
s->netlen = (read > 0 ? read : 0);
DBG(23, "0,4 %02x %02x\n", s->netbuf[0], s->netbuf[4]); /* copy wanted part */
DBG(23, "storing %lu to buffer at %p, next read at %p, %lu bytes left\n", read = epsonds_net_read_buf(s, buf, wanted, status);
(u_long) size, s->netbuf, s->netptr, (u_long) s->netlen);
memcpy(buf, s->netbuf, wanted);
} }
return read; return read;
@ -175,23 +168,38 @@ epsonds_net_request_read(epsonds_scanner *s, size_t len)
return status; return status;
} }
int size_t
epsonds_net_write(epsonds_scanner *s, unsigned int cmd, const unsigned char *buf, epsonds_net_write(epsonds_scanner *s, unsigned int cmd, const unsigned char *buf,
size_t buf_size, size_t reply_len, SANE_Status *status) size_t buf_size, size_t reply_len, SANE_Status *status)
{ {
unsigned char *h1, *h2; unsigned char *h1, *h2;
unsigned char *packet = malloc(12 + 8); unsigned char *packet = malloc(12 + 8);
/* XXX check allocation failure */ if (!packet) {
*status = SANE_STATUS_NO_MEM;
return 0;
}
h1 = packet; // packet header h1 = packet; // packet header
h2 = packet + 12; // data header h2 = packet + 12; // data header
if (reply_len) { if (reply_len) {
s->netbuf = s->netptr = malloc(reply_len); if (s->netbuf) {
DBG(23, "%s, freeing %p, %ld bytes unprocessed\n",
__func__, s->netbuf, (u_long) s->netlen);
free(s->netbuf);
s->netbuf = s->netptr = NULL;
s->netlen = 0;
}
s->netbuf = malloc(reply_len);
if (!s->netbuf) {
free(packet);
*status = SANE_STATUS_NO_MEM;
return 0;
}
s->netlen = reply_len; s->netlen = reply_len;
DBG(24, "allocated %lu bytes at %p\n", DBG(24, "%s: allocated %lu bytes at %p\n", __func__,
(u_long) reply_len, s->netbuf); (u_long) s->netlen, s->netbuf);
} }
DBG(24, "%s: cmd = %04x, buf = %p, buf_size = %lu, reply_len = %lu\n", DBG(24, "%s: cmd = %04x, buf = %p, buf_size = %lu, reply_len = %lu\n",

4
backend/epsonds-net.h
Wyświetl plik

@ -4,9 +4,9 @@
#include <sys/types.h> #include <sys/types.h>
#include "../include/sane/sane.h" #include "../include/sane/sane.h"
extern int epsonds_net_read(struct epsonds_scanner *s, unsigned char *buf, ssize_t buf_size, extern ssize_t epsonds_net_read(struct epsonds_scanner *s, unsigned char *buf, ssize_t buf_size,
SANE_Status *status); SANE_Status *status);
extern int epsonds_net_write(struct epsonds_scanner *s, unsigned int cmd, const unsigned char *buf, extern size_t epsonds_net_write(struct epsonds_scanner *s, unsigned int cmd, const unsigned char *buf,
size_t buf_size, size_t reply_len, size_t buf_size, size_t reply_len,
SANE_Status *status); SANE_Status *status);
extern SANE_Status epsonds_net_lock(struct epsonds_scanner *s); extern SANE_Status epsonds_net_lock(struct epsonds_scanner *s);

4
backend/epsonds.c
Wyświetl plik

@ -247,8 +247,8 @@ open_scanner(epsonds_scanner *s)
/* the scanner sends a kind of welcome msg */ /* the scanner sends a kind of welcome msg */
// XXX check command type, answer to connect is 0x80 // XXX check command type, answer to connect is 0x80
read = eds_recv(s, buf, 3, &status); read = eds_recv(s, buf, 5, &status);
if (read != 3) { if (read != 5) {
sanei_tcp_close(s->fd); sanei_tcp_close(s->fd);
s->fd = -1; s->fd = -1;
return SANE_STATUS_IO_ERROR; return SANE_STATUS_IO_ERROR;