From d5f2ad902e71b7d9010adbea936284e1285d6552 Mon Sep 17 00:00:00 2001 From: "Cameron (Kamran) Mashayekhi" Date: Tue, 13 Feb 2007 22:58:24 +0000 Subject: [PATCH] Fix for bug 242410 of Suse review on item 4.7 of the audit list. --- CASA/micasacache/sscs_unx_ipc_client.c | 351 +++++++++++++++++-------- 1 file changed, 243 insertions(+), 108 deletions(-) diff --git a/CASA/micasacache/sscs_unx_ipc_client.c b/CASA/micasacache/sscs_unx_ipc_client.c index fdde4450..3d0d41af 100644 --- a/CASA/micasacache/sscs_unx_ipc_client.c +++ b/CASA/micasacache/sscs_unx_ipc_client.c @@ -266,7 +266,13 @@ int32_t ipc_OpenSecretStore msgLen = MSGID_LEN + MSG_LEN + MSG_DWORD_LEN + MSG_STRING_LEN + - ssNameLen; + ssNameLen; + + if(msgLen >= MIN_REQUEST_BUF_LEN) + { + retCode = NSSCS_E_SYSTEM_FAILURE; + break; + } pReq = gpReqBuf; @@ -401,6 +407,12 @@ int32_t ipc_CloseSecretStore // Prepare Request buffer msgLen = MSGID_LEN + MSG_LEN + MSG_DWORD_LEN; + if(msgLen >= MIN_REQUEST_BUF_LEN) + { + retCode = NSSCS_E_SYSTEM_FAILURE; + break; + } + pReq = gpReqBuf; msgid = REQ_CACHE_CLOSE_SECRET_STORE_MSGID; @@ -507,6 +519,11 @@ int32_t ipc_RemoveSecretStore // Prepare Request buffer msgLen = MSGID_LEN + MSG_LEN; + if(msgLen >= MIN_REQUEST_BUF_LEN) + { + retCode = NSSCS_E_SYSTEM_FAILURE; + break; + } pReq = gpReqBuf; @@ -617,6 +634,11 @@ int32_t ipc_EnumerateKeychainIDs // Prepare Request buffer msgLen = MSGID_LEN + MSG_LEN; + if(msgLen >= MIN_REQUEST_BUF_LEN) + { + retCode = NSSCS_E_SYSTEM_FAILURE; + break; + } pReq = gpReqBuf; @@ -648,7 +670,7 @@ int32_t ipc_EnumerateKeychainIDs pReply += MSG_LEN; // I would like to get return code here itself // so that I need not check for other things. - memcpy(&bufLen,pReply, MSG_DWORD_LEN); + memcpy(&bufLen, pReply, MSG_DWORD_LEN); if( 0 == bufLen ) { retVal = IPC_READ(ssHandle->platHandle,&sockReturn, MSG_DWORD_LEN); @@ -665,8 +687,15 @@ int32_t ipc_EnumerateKeychainIDs if( bufLen < MIN_REPLY_BUF_LEN/(sizeof(char)) ) pReply = gpReplyBuf; else - { - pReply = (Byte *)malloc( (bufLen+1) * sizeof(char)); + { + + if((bufLen + 1) >= MIN_REQUEST_BUF_LEN) + { + retCode = NSSCS_E_SYSTEM_FAILURE; + break; + } + + pReply = (Byte *)malloc( (bufLen + 1) * sizeof(char)); if( NULL == pReply ) { // Cleanup the channel by reading the remaining and return error. @@ -822,6 +851,12 @@ int32_t ipc_AddKeychain MSG_DWORD_LEN + // flags MSG_STRING_LEN + keychainIDLen; // Keychain ID + + if(msgLen >= MIN_REQUEST_BUF_LEN) + { + retCode = NSSCS_E_SYSTEM_FAILURE; + break; + } pReq = gpReqBuf; @@ -938,6 +973,12 @@ int32_t ipc_RemoveKeychain msgLen = MSGID_LEN + MSG_LEN + MSG_STRING_LEN + keychainIDLen; // Keychain ID + + if(msgLen >= MIN_REQUEST_BUF_LEN) + { + retCode = NSSCS_E_SYSTEM_FAILURE; + break; + } pReq = gpReqBuf; @@ -1063,6 +1104,12 @@ int32_t ipc_EnumerateSecretIDs msgLen = MSGID_LEN + MSG_LEN + MSG_STRING_LEN + keychainIDLen; // Keychain ID + + if(msgLen >= MIN_REQUEST_BUF_LEN) + { + retCode = NSSCS_E_SYSTEM_FAILURE; + break; + } pReq = gpReqBuf; @@ -1113,7 +1160,13 @@ int32_t ipc_EnumerateSecretIDs pReply = gpReplyBuf; else { - pReply = (Byte *)malloc( (bufLen+1) * sizeof(SS_UTF8_T)); + if((bufLen + 1) >= MIN_REQUEST_BUF_LEN) + { + retCode = NSSCS_E_SYSTEM_FAILURE; + break; + } + + pReply = (Byte *)malloc( (bufLen + 1) * sizeof(SS_UTF8_T)); if(pReply == NULL) { // Cleanup the channel by reading the remaining and return error. @@ -1290,7 +1343,7 @@ int32_t ipc_ReadSecret secretIDLen + // SecretID MSG_STRING_LEN + // epPassword len epPassword->pwordLen; - + // is there an ext, account for it if (ext) { @@ -1307,7 +1360,13 @@ int32_t ipc_ReadSecret // the cache daemon expects a ext, add it here msgLen += MSG_DWORD_LEN; } - + + if(msgLen >= MIN_REQUEST_BUF_LEN) + { + retCode = NSSCS_E_SYSTEM_FAILURE; + break; + } + pReq = gpReqBuf; msgid = REQ_CACHE_READ_SECRET_MSGID; memcpy(pReq, &msgid, MSGID_LEN); @@ -1537,7 +1596,7 @@ int ipc_WriteSecret secretData->len + MSG_STRING_LEN + // epPassword len epPassword->pwordLen; - + // is there an ext if (ext) { @@ -1578,7 +1637,13 @@ int ipc_WriteSecret { pReq = gpReqBuf; } - + + if(msgLen >= MIN_REQUEST_BUF_LEN) + { + retCode = NSSCS_E_SYSTEM_FAILURE; + break; + } + msgid = REQ_CACHE_WRITE_SECRET_MSGID; memcpy(pReq, &msgid, MSGID_LEN); pReq += MSGID_LEN; @@ -1780,6 +1845,12 @@ int32_t ipc_RemoveSecret // the cache daemon expects a ext, add it here msgLen += MSG_DWORD_LEN; } + + if(msgLen >= MIN_REQUEST_BUF_LEN) + { + retCode = NSSCS_E_SYSTEM_FAILURE; + break; + } pReq = gpReqBuf; @@ -1836,7 +1907,7 @@ int32_t ipc_RemoveSecret } else { - uint32_t extID = 0; + uint32_t extID = 0; memcpy(pReq,&extID,MSG_DWORD_LEN); } @@ -1939,11 +2010,13 @@ int32_t ipc_GetSecretStoreInfo // Prepare Request buffer msgLen = MSGID_LEN + MSG_LEN; + + if(msgLen >= MIN_REQUEST_BUF_LEN) + { + retCode = NSSCS_E_SYSTEM_FAILURE; + break; + } - if( msgLen > MIN_REQUEST_BUF_LEN ) - { - //Allocate more memory for gpReqBuf - } pReq = gpReqBuf; msgid = REQ_GET_SECRETSTORE_INFO_MSGID; memcpy(pReq, &msgid, MSGID_LEN); @@ -1951,6 +2024,7 @@ int32_t ipc_GetSecretStoreInfo memcpy(pReq, &msgLen, MSG_LEN); pReq += MSG_LEN; + retVal = IPC_WRITE(ssHandle->platHandle, gpReqBuf, msgLen); if(retVal < 0) { @@ -2061,10 +2135,12 @@ int32_t ipc_GetKeychainInfo msgLen = MSGID_LEN + MSG_LEN + MSG_DWORD_LEN + (keychainID->len ); - if( msgLen > MIN_REQUEST_BUF_LEN ) - { - //Allocate more memory for gpReqBuf - } + if(msgLen >= MIN_REQUEST_BUF_LEN) + { + retCode = NSSCS_E_SYSTEM_FAILURE; + break; + } + pReq = gpReqBuf; msgid = REQ_GET_KEYCHAIN_INFO_MSGID; memcpy(pReq, &msgid, MSGID_LEN); @@ -2180,6 +2256,12 @@ int32_t ipc_LockCache // Prepare Request buffer msgLen = MSGID_LEN + MSG_LEN; + if(msgLen >= MIN_REQUEST_BUF_LEN) + { + retCode = NSSCS_E_SYSTEM_FAILURE; + break; + } + pReq = gpReqBuf; msgid = REQ_LOCK_CACHE_MSGID; memcpy(pReq, &msgid, MSGID_LEN); @@ -2284,6 +2366,12 @@ int32_t ipc_UnlockCache // Prepare Request buffer msgLen = MSGID_LEN + MSG_LEN; + if(msgLen >= MIN_REQUEST_BUF_LEN) + { + retCode = NSSCS_E_SYSTEM_FAILURE; + break; + } + pReq = gpReqBuf; msgid = REQ_UNLOCK_CACHE_MSGID; memcpy(pReq, &msgid, MSGID_LEN); @@ -2399,6 +2487,12 @@ int32_t ipc_SetMasterPasscode MSG_DWORD_LEN + // passcodetype MSG_STRING_LEN + //passcodeLen passcodeLen; + + if(msgLen >= MIN_REQUEST_BUF_LEN) + { + retCode = NSSCS_E_SYSTEM_FAILURE; + break; + } pReq = gpReqBuf; @@ -2571,6 +2665,12 @@ int32_t ipc_RemoveKey // the cache daemon expects a ext, add it here msgLen += MSG_DWORD_LEN; } + + if(msgLen >= MIN_REQUEST_BUF_LEN) + { + retCode = NSSCS_E_SYSTEM_FAILURE; + break; + } pReq = gpReqBuf; msgid = REQ_REMOVE_KEY_MSGID; @@ -2775,6 +2875,12 @@ int32_t ipc_ReadKey // the cache daemon expects a ext, add it here msgLen += MSG_DWORD_LEN; } + + if(msgLen >= MIN_REQUEST_BUF_LEN) + { + retCode = NSSCS_E_SYSTEM_FAILURE; + break; + } pReq = gpReqBuf; msgid = REQ_READ_KEY_MSGID; @@ -3029,6 +3135,11 @@ int32_t ipc_ReadBinaryKey msgLen += MSG_DWORD_LEN; } + if(msgLen >= MIN_REQUEST_BUF_LEN) + { + retCode = NSSCS_E_SYSTEM_FAILURE; + break; + } pReq = gpReqBuf; msgid = REQ_READ_BINARY_KEY_MSGID; @@ -3268,30 +3379,30 @@ int ipc_WriteKey MSG_STRING_LEN + // epPassword len epPassword->pwordLen; - // is there an ext, account for it - if (ext) - { - // The login capture on Windows determines the LUID of the user - // and sends it as an Extension, marshall it across the pipe - // see the WriteSecret verb for handling it. - if (ext->extID == WINDOWS_LOGIN_ID) + // is there an ext, account for it + if (ext) { - // 4 byte ext type, 4 byte len and 8 bytes of LUID - msgLen += MSG_DWORD_LEN + MSG_DWORD_LEN + WINDOWS_LUID_LEN; - // as setup in the capture module - //ext.extID = WINDOWS_LOGON_ID; - //ext.version = 0x00010000; // 1.0.0 - //ext.ext = (void *)lpLogonId; - // _LUID { DWORD LowPart; LONG HighPart; // 8 byte - } - else - msgLen += MSG_DWORD_LEN; - } - else - { - // the cache daemon expects a ext, add it here - msgLen += MSG_DWORD_LEN; - } + // The login capture on Windows determines the LUID of the user + // and sends it as an Extension, marshall it across the pipe + // see the WriteSecret verb for handling it. + if (ext->extID == WINDOWS_LOGIN_ID) + { + // 4 byte ext type, 4 byte len and 8 bytes of LUID + msgLen += MSG_DWORD_LEN + MSG_DWORD_LEN + WINDOWS_LUID_LEN; + // as setup in the capture module + //ext.extID = WINDOWS_LOGON_ID; + //ext.version = 0x00010000; // 1.0.0 + //ext.ext = (void *)lpLogonId; + // _LUID { DWORD LowPart; LONG HighPart; // 8 byte + } + else + msgLen += MSG_DWORD_LEN; + } + else + { + // the cache daemon expects a ext, add it here + msgLen += MSG_DWORD_LEN; + } if( msgLen > MIN_REQUEST_BUF_LEN ) { @@ -3308,8 +3419,14 @@ int ipc_WriteKey { pReq = gpReqBuf; } + + if(msgLen >= MIN_REQUEST_BUF_LEN) + { + retCode = NSSCS_E_SYSTEM_FAILURE; + break; + } - msgid = REQ_WRITE_KEY_MSGID; + msgid = REQ_WRITE_KEY_MSGID; memcpy(pReq, &msgid, MSGID_LEN); pReq += MSGID_LEN; @@ -3339,28 +3456,28 @@ int ipc_WriteKey pReq += epPassword->pwordLen; // marshall the extension if there is one - if (ext) - { - if (ext->extID == WINDOWS_LOGIN_ID) + if (ext) { - extID = EXT_TYPE_WINDOWS_LUID; - memcpy(pReq, &extID, MSG_DWORD_LEN); - pReq += MSG_DWORD_LEN; + if (ext->extID == WINDOWS_LOGIN_ID) + { + extID = EXT_TYPE_WINDOWS_LUID; + memcpy(pReq, &extID, MSG_DWORD_LEN); + pReq += MSG_DWORD_LEN; - luidLen = WINDOWS_LUID_LEN; - memcpy(pReq, &luidLen, MSG_DWORD_LEN); - pReq += MSG_DWORD_LEN; - - memcpy(pReq, ext->ext, 8); - pReq += 8; - } - else - { - uint32_t extID = 0; - memcpy(pReq,&extID,MSG_DWORD_LEN); - - } - } + luidLen = WINDOWS_LUID_LEN; + memcpy(pReq, &luidLen, MSG_DWORD_LEN); + pReq += MSG_DWORD_LEN; + + memcpy(pReq, ext->ext, 8); + pReq += 8; + } + else + { + uint32_t extID = 0; + memcpy(pReq,&extID,MSG_DWORD_LEN); + + } + } else { uint32_t extID = 0; @@ -3516,30 +3633,30 @@ int ipc_WriteBinaryKey MSG_STRING_LEN + // epPassword len epPassword->pwordLen; - // is there an ext, account for it - if (ext) - { - // The login capture on Windows determines the LUID of the user - // and sends it as an Extension, marshall it across the pipe - // see the WriteSecret verb for handling it. - if (ext->extID == WINDOWS_LOGIN_ID) + // is there an ext, account for it + if (ext) { - // 4 byte ext type, 4 byte len and 8 bytes of LUID - msgLen += MSG_DWORD_LEN + MSG_DWORD_LEN + WINDOWS_LUID_LEN; - // as setup in the capture module - //ext.extID = WINDOWS_LOGON_ID; - //ext.version = 0x00010000; // 1.0.0 - //ext.ext = (void *)lpLogonId; - // _LUID { DWORD LowPart; LONG HighPart; // 8 byte - } - else - msgLen += MSG_DWORD_LEN; - } - else - { - // the cache daemon expects a ext, add it here - msgLen += MSG_DWORD_LEN; - } + // The login capture on Windows determines the LUID of the user + // and sends it as an Extension, marshall it across the pipe + // see the WriteSecret verb for handling it. + if (ext->extID == WINDOWS_LOGIN_ID) + { + // 4 byte ext type, 4 byte len and 8 bytes of LUID + msgLen += MSG_DWORD_LEN + MSG_DWORD_LEN + WINDOWS_LUID_LEN; + // as setup in the capture module + //ext.extID = WINDOWS_LOGON_ID; + //ext.version = 0x00010000; // 1.0.0 + //ext.ext = (void *)lpLogonId; + // _LUID { DWORD LowPart; LONG HighPart; // 8 byte + } + else + msgLen += MSG_DWORD_LEN; + } + else + { + // the cache daemon expects a ext, add it here + msgLen += MSG_DWORD_LEN; + } if( msgLen > MIN_REQUEST_BUF_LEN ) { @@ -3557,8 +3674,14 @@ int ipc_WriteBinaryKey pReq = gpReqBuf; } - - msgid = REQ_WRITE_BINARY_KEY_MSGID; + + if(msgLen >= MIN_REQUEST_BUF_LEN) + { + retCode = NSSCS_E_SYSTEM_FAILURE; + break; + } + + msgid = REQ_WRITE_BINARY_KEY_MSGID; memcpy(pReq, &msgid, MSGID_LEN); pReq += MSGID_LEN; @@ -3588,28 +3711,28 @@ int ipc_WriteBinaryKey pReq += epPassword->pwordLen; // marshall the extension if there is one - if (ext) - { - if (ext->extID == WINDOWS_LOGIN_ID) + if (ext) { - extID = EXT_TYPE_WINDOWS_LUID; - memcpy(pReq, &extID, MSG_DWORD_LEN); - pReq += MSG_DWORD_LEN; + if (ext->extID == WINDOWS_LOGIN_ID) + { + extID = EXT_TYPE_WINDOWS_LUID; + memcpy(pReq, &extID, MSG_DWORD_LEN); + pReq += MSG_DWORD_LEN; - luidLen = WINDOWS_LUID_LEN; - memcpy(pReq, &luidLen, MSG_DWORD_LEN); - pReq += MSG_DWORD_LEN; - - memcpy(pReq, ext->ext, 8); - pReq += 8; - } - else - { - uint32_t extID = 0; - memcpy(pReq,&extID,MSG_DWORD_LEN); - - } - } + luidLen = WINDOWS_LUID_LEN; + memcpy(pReq, &luidLen, MSG_DWORD_LEN); + pReq += MSG_DWORD_LEN; + + memcpy(pReq, ext->ext, 8); + pReq += 8; + } + else + { + uint32_t extID = 0; + memcpy(pReq,&extID,MSG_DWORD_LEN); + + } + } else { uint32_t extID = 0; @@ -3734,7 +3857,13 @@ int32_t ipc_SetMasterPassword passwdLen; pReq = gpReqBuf; - + + if(msgLen >= MIN_REQUEST_BUF_LEN) + { + retCode = NSSCS_E_SYSTEM_FAILURE; + break; + } + msgid = REQ_SET_MASTER_PASSWORD; memcpy(pReq, &msgid, MSGID_LEN); pReq += MSGID_LEN; @@ -3896,6 +4025,12 @@ int ipc_IsSecretPersistent { pReq = gpReqBuf; } + + if(msgLen >= MIN_REQUEST_BUF_LEN) + { + retCode = NSSCS_E_SYSTEM_FAILURE; + break; + } msgid = REQ_IS_SECRET_PERSISTENT; memcpy(pReq, &msgid, MSGID_LEN);