buffer: add a hidden canary to detect format errors
Reviewed-by: Andreas Schneider <asn@samba.org>
Этот коммит содержится в:
родитель
7bd62dd652
Коммит
3b4b0f01ec
@ -38,6 +38,8 @@ struct ssh_buffer_struct {
|
|||||||
uint32_t pos;
|
uint32_t pos;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
#define SSH_BUFFER_PACK_END ((uint32_t) 0x4f65feb3)
|
||||||
|
|
||||||
LIBSSH_API void ssh_buffer_free(ssh_buffer buffer);
|
LIBSSH_API void ssh_buffer_free(ssh_buffer buffer);
|
||||||
LIBSSH_API void *ssh_buffer_get_begin(ssh_buffer buffer);
|
LIBSSH_API void *ssh_buffer_get_begin(ssh_buffer buffer);
|
||||||
LIBSSH_API uint32_t ssh_buffer_get_len(ssh_buffer buffer);
|
LIBSSH_API uint32_t ssh_buffer_get_len(ssh_buffer buffer);
|
||||||
@ -49,9 +51,12 @@ int buffer_add_u32(ssh_buffer buffer, uint32_t data);
|
|||||||
int buffer_add_u64(ssh_buffer buffer, uint64_t data);
|
int buffer_add_u64(ssh_buffer buffer, uint64_t data);
|
||||||
int ssh_buffer_add_data(ssh_buffer buffer, const void *data, uint32_t len);
|
int ssh_buffer_add_data(ssh_buffer buffer, const void *data, uint32_t len);
|
||||||
int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer, const char *format, va_list ap);
|
int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer, const char *format, va_list ap);
|
||||||
int ssh_buffer_pack(struct ssh_buffer_struct *buffer, const char *format, ...);
|
int _ssh_buffer_pack(struct ssh_buffer_struct *buffer, const char *format, ...);
|
||||||
|
#define ssh_buffer_pack(buffer, format, ...) _ssh_buffer_pack((buffer),(format), __VA_ARGS__, SSH_BUFFER_PACK_END)
|
||||||
int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer, const char *format, va_list ap);
|
int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer, const char *format, va_list ap);
|
||||||
int ssh_buffer_unpack(struct ssh_buffer_struct *buffer, const char *format, ...);
|
int _ssh_buffer_unpack(struct ssh_buffer_struct *buffer, const char *format, ...);
|
||||||
|
#define ssh_buffer_unpack(buffer, format, ...) _ssh_buffer_unpack((buffer),(format), __VA_ARGS__, SSH_BUFFER_PACK_END)
|
||||||
|
|
||||||
int buffer_prepend_data(ssh_buffer buffer, const void *data, uint32_t len);
|
int buffer_prepend_data(ssh_buffer buffer, const void *data, uint32_t len);
|
||||||
int buffer_add_buffer(ssh_buffer buffer, ssh_buffer source);
|
int buffer_add_buffer(ssh_buffer buffer, ssh_buffer source);
|
||||||
int ssh_buffer_reinit(ssh_buffer buffer);
|
int ssh_buffer_reinit(ssh_buffer buffer);
|
||||||
|
19
src/buffer.c
19
src/buffer.c
@ -732,6 +732,13 @@ int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer, const char *format, va_
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (rc != SSH_ERROR){
|
||||||
|
/* verify that the last hidden argument is correct */
|
||||||
|
o.dword = va_arg(ap, uint32_t);
|
||||||
|
if (o.dword != SSH_BUFFER_PACK_END){
|
||||||
|
rc = SSH_ERROR;
|
||||||
|
}
|
||||||
|
}
|
||||||
return rc;
|
return rc;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -754,7 +761,7 @@ int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer, const char *format, va_
|
|||||||
* @warning when using 'P' with a constant size (e.g. 8), do not
|
* @warning when using 'P' with a constant size (e.g. 8), do not
|
||||||
* forget to cast to (size_t).
|
* forget to cast to (size_t).
|
||||||
*/
|
*/
|
||||||
int ssh_buffer_pack(struct ssh_buffer_struct *buffer, const char *format, ...){
|
int _ssh_buffer_pack(struct ssh_buffer_struct *buffer, const char *format, ...){
|
||||||
va_list ap;
|
va_list ap;
|
||||||
int rc;
|
int rc;
|
||||||
|
|
||||||
@ -876,7 +883,13 @@ int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer, const char *format, v
|
|||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
if (rc != SSH_ERROR){
|
||||||
|
/* verify that the last hidden argument is correct */
|
||||||
|
uint32_t canary = va_arg(ap, uint32_t);
|
||||||
|
if (canary != SSH_BUFFER_PACK_END){
|
||||||
|
rc = SSH_ERROR;
|
||||||
|
}
|
||||||
|
}
|
||||||
if (rc != SSH_OK){
|
if (rc != SSH_OK){
|
||||||
/* Reset the format string and erase everything that was allocated */
|
/* Reset the format string and erase everything that was allocated */
|
||||||
last = p;
|
last = p;
|
||||||
@ -930,7 +943,7 @@ int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer, const char *format, v
|
|||||||
* @warning when using 'P' with a constant size (e.g. 8), do not
|
* @warning when using 'P' with a constant size (e.g. 8), do not
|
||||||
* forget to cast to (size_t).
|
* forget to cast to (size_t).
|
||||||
*/
|
*/
|
||||||
int ssh_buffer_unpack(struct ssh_buffer_struct *buffer, const char *format, ...){
|
int _ssh_buffer_unpack(struct ssh_buffer_struct *buffer, const char *format, ...){
|
||||||
va_list ap;
|
va_list ap;
|
||||||
int rc;
|
int rc;
|
||||||
|
|
||||||
|
Загрузка…
x
Ссылка в новой задаче
Block a user