[PATCH 1/3] tests: Demarshalling of very long array/string lengths.

Tue, 14 Aug 2018 04:08:28 -0700 

Attempting to demarshal message with array or string longer than its
body should return failure. Handling the length correctly is tricky when
it gets to near-UINT32_MAX values. Unexpected overflows can cause
crashes and other security issues.

These tests verify that demarshalling such message gives failure instead
of crash.
---
 tests/connection-test.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)

diff --git a/tests/connection-test.c b/tests/connection-test.c
index 157e1bc..09b0f00 100644
--- a/tests/connection-test.c
+++ b/tests/connection-test.c
@@ -533,6 +533,52 @@ TEST(connection_marshal_demarshal)
        release_marshal_data(&data);
 }
 
+static void
+expected_fail_demarshal(struct marshal_data *data, const char *format, 
uint32_t *msg, int expected_error)
+{
+       struct wl_message message = { "test", format, NULL };
+       struct wl_closure *closure;
+       struct wl_map objects;
+       int size = msg[1];
+
+       assert(write(data->s[1], msg, size) == size);
+       assert(wl_connection_read(data->read_connection) == size);
+
+       wl_map_init(&objects, WL_MAP_SERVER_SIDE);
+       closure = wl_connection_demarshal(data->read_connection,
+                                           size, &objects, &message);
+
+       assert(closure == NULL);
+       assert(errno == expected_error);
+}
+
+TEST(connection_demarshal_failures)
+{
+       struct marshal_data data;
+       uint32_t msg[10];
+
+       setup_marshal_data(&data);
+
+       // These need careful handling on 32bit systems.
+       uint32_t overflowing_values[] = {
+               0xffffffff, 0xfffffffe, 0xfffffffd, 0xfffffffc,
+               0xfffff000, 0xffffd000, 0xffffc000, 0xffffb000
+       };
+       for (unsigned int i = 0; i < ARRAY_LENGTH(overflowing_values); i++) {
+               msg[0] = 400200;
+               msg[1] = 24;
+               msg[2] = overflowing_values[i];
+               expected_fail_demarshal(&data, "s", msg, EINVAL);
+
+               msg[0] = 400200;
+               msg[1] = 24;
+               msg[2] = overflowing_values[i];
+               expected_fail_demarshal(&data, "a", msg, EINVAL);
+       }
+
+       release_marshal_data(&data);
+}
+
 TEST(connection_marshal_alot)
 {
        struct marshal_data data;
-- 
2.16.4

_______________________________________________
wayland-devel mailing list
wayland-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/wayland-devel

Reply via email to