1 /* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*- */
2 /* dbus-marshal-validate.c Validation routines for marshaled data
3 *
4 * Copyright (C) 2005 Red Hat, Inc.
5 *
6 * Licensed under the Academic Free License version 2.1
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
21 *
22 */
23
24 #include <config.h>
25 #include "dbus-internals.h"
26 #include "dbus-marshal-validate.h"
27 #include "dbus-marshal-recursive.h"
28 #include "dbus-marshal-basic.h"
29 #include "dbus-signature.h"
30 #include "dbus-string.h"
31
32 /**
33 * @addtogroup DBusMarshal
34 *
35 * @{
36 */
37
38 /**
39 * Verifies that the range of type_str from type_pos to type_end is a
40 * valid signature. If this function returns #TRUE, it will be safe
41 * to iterate over the signature with a types-only #DBusTypeReader.
42 * The range passed in should NOT include the terminating
43 * nul/DBUS_TYPE_INVALID.
44 *
45 * @param type_str the string
46 * @param type_pos where the typecodes start
47 * @param len length of typecodes
48 * @returns #DBUS_VALID if valid, reason why invalid otherwise
49 */
50 DBusValidity
_dbus_validate_signature_with_reason(const DBusString * type_str,int type_pos,int len)51 _dbus_validate_signature_with_reason (const DBusString *type_str,
52 int type_pos,
53 int len)
54 {
55 const unsigned char *p;
56 const unsigned char *end;
57 int last;
58 int struct_depth;
59 int array_depth;
60 int dict_entry_depth;
61 DBusValidity result;
62
63 int element_count;
64 DBusList *element_count_stack;
65
66 result = DBUS_VALID;
67 element_count_stack = NULL;
68
69 if (!_dbus_list_append (&element_count_stack, _DBUS_INT_TO_POINTER (0)))
70 {
71 result = DBUS_VALIDITY_UNKNOWN_OOM_ERROR;
72 goto out;
73 }
74
75 _dbus_assert (type_str != NULL);
76 _dbus_assert (type_pos < _DBUS_INT32_MAX - len);
77 _dbus_assert (len >= 0);
78 _dbus_assert (type_pos >= 0);
79
80 if (len > DBUS_MAXIMUM_SIGNATURE_LENGTH)
81 {
82 result = DBUS_INVALID_SIGNATURE_TOO_LONG;
83 goto out;
84 }
85
86 p = _dbus_string_get_const_data_len (type_str, type_pos, 0);
87
88 end = _dbus_string_get_const_data_len (type_str, type_pos + len, 0);
89 struct_depth = 0;
90 array_depth = 0;
91 dict_entry_depth = 0;
92 last = DBUS_TYPE_INVALID;
93
94 while (p != end)
95 {
96 switch (*p)
97 {
98 case DBUS_TYPE_BYTE:
99 case DBUS_TYPE_BOOLEAN:
100 case DBUS_TYPE_INT16:
101 case DBUS_TYPE_UINT16:
102 case DBUS_TYPE_INT32:
103 case DBUS_TYPE_UINT32:
104 case DBUS_TYPE_UNIX_FD:
105 case DBUS_TYPE_INT64:
106 case DBUS_TYPE_UINT64:
107 case DBUS_TYPE_DOUBLE:
108 case DBUS_TYPE_STRING:
109 case DBUS_TYPE_OBJECT_PATH:
110 case DBUS_TYPE_SIGNATURE:
111 case DBUS_TYPE_VARIANT:
112 break;
113
114 case DBUS_TYPE_ARRAY:
115 array_depth += 1;
116 if (array_depth > DBUS_MAXIMUM_TYPE_RECURSION_DEPTH)
117 {
118 result = DBUS_INVALID_EXCEEDED_MAXIMUM_ARRAY_RECURSION;
119 goto out;
120 }
121 break;
122
123 case DBUS_STRUCT_BEGIN_CHAR:
124 struct_depth += 1;
125
126 if (struct_depth > DBUS_MAXIMUM_TYPE_RECURSION_DEPTH)
127 {
128 result = DBUS_INVALID_EXCEEDED_MAXIMUM_STRUCT_RECURSION;
129 goto out;
130 }
131
132 if (!_dbus_list_append (&element_count_stack,
133 _DBUS_INT_TO_POINTER (0)))
134 {
135 result = DBUS_VALIDITY_UNKNOWN_OOM_ERROR;
136 goto out;
137 }
138
139 break;
140
141 case DBUS_STRUCT_END_CHAR:
142 if (struct_depth == 0)
143 {
144 result = DBUS_INVALID_STRUCT_ENDED_BUT_NOT_STARTED;
145 goto out;
146 }
147
148 if (last == DBUS_STRUCT_BEGIN_CHAR)
149 {
150 result = DBUS_INVALID_STRUCT_HAS_NO_FIELDS;
151 goto out;
152 }
153
154 _dbus_list_pop_last (&element_count_stack);
155
156 struct_depth -= 1;
157 break;
158
159 case DBUS_DICT_ENTRY_BEGIN_CHAR:
160 if (last != DBUS_TYPE_ARRAY)
161 {
162 result = DBUS_INVALID_DICT_ENTRY_NOT_INSIDE_ARRAY;
163 goto out;
164 }
165
166 dict_entry_depth += 1;
167
168 if (dict_entry_depth > DBUS_MAXIMUM_TYPE_RECURSION_DEPTH)
169 {
170 result = DBUS_INVALID_EXCEEDED_MAXIMUM_DICT_ENTRY_RECURSION;
171 goto out;
172 }
173
174 if (!_dbus_list_append (&element_count_stack,
175 _DBUS_INT_TO_POINTER (0)))
176 {
177 result = DBUS_VALIDITY_UNKNOWN_OOM_ERROR;
178 goto out;
179 }
180
181 break;
182
183 case DBUS_DICT_ENTRY_END_CHAR:
184 if (dict_entry_depth == 0)
185 {
186 result = DBUS_INVALID_DICT_ENTRY_ENDED_BUT_NOT_STARTED;
187 goto out;
188 }
189
190 dict_entry_depth -= 1;
191
192 element_count =
193 _DBUS_POINTER_TO_INT (_dbus_list_pop_last (&element_count_stack));
194
195 if (element_count != 2)
196 {
197 if (element_count == 0)
198 result = DBUS_INVALID_DICT_ENTRY_HAS_NO_FIELDS;
199 else if (element_count == 1)
200 result = DBUS_INVALID_DICT_ENTRY_HAS_ONLY_ONE_FIELD;
201 else
202 result = DBUS_INVALID_DICT_ENTRY_HAS_TOO_MANY_FIELDS;
203
204 goto out;
205 }
206 break;
207
208 case DBUS_TYPE_STRUCT: /* doesn't appear in signatures */
209 case DBUS_TYPE_DICT_ENTRY: /* ditto */
210 default:
211 result = DBUS_INVALID_UNKNOWN_TYPECODE;
212 goto out;
213 }
214
215 if (*p != DBUS_TYPE_ARRAY &&
216 *p != DBUS_DICT_ENTRY_BEGIN_CHAR &&
217 *p != DBUS_STRUCT_BEGIN_CHAR)
218 {
219 element_count =
220 _DBUS_POINTER_TO_INT (_dbus_list_pop_last (&element_count_stack));
221
222 ++element_count;
223
224 if (!_dbus_list_append (&element_count_stack,
225 _DBUS_INT_TO_POINTER (element_count)))
226 {
227 result = DBUS_VALIDITY_UNKNOWN_OOM_ERROR;
228 goto out;
229 }
230 }
231
232 if (array_depth > 0)
233 {
234 if (*p == DBUS_TYPE_ARRAY && p != end)
235 {
236 const char *p1;
237 p1 = p + 1;
238 if (*p1 == DBUS_STRUCT_END_CHAR ||
239 *p1 == DBUS_DICT_ENTRY_END_CHAR)
240 {
241 result = DBUS_INVALID_MISSING_ARRAY_ELEMENT_TYPE;
242 goto out;
243 }
244 }
245 else
246 {
247 array_depth = 0;
248 }
249 }
250
251 if (last == DBUS_DICT_ENTRY_BEGIN_CHAR)
252 {
253 if (!(dbus_type_is_valid (*p) && dbus_type_is_basic (*p)))
254 {
255 result = DBUS_INVALID_DICT_KEY_MUST_BE_BASIC_TYPE;
256 goto out;
257 }
258 }
259
260 last = *p;
261 ++p;
262 }
263
264
265 if (array_depth > 0)
266 {
267 result = DBUS_INVALID_MISSING_ARRAY_ELEMENT_TYPE;
268 goto out;
269 }
270
271 if (struct_depth > 0)
272 {
273 result = DBUS_INVALID_STRUCT_STARTED_BUT_NOT_ENDED;
274 goto out;
275 }
276
277 if (dict_entry_depth > 0)
278 {
279 result = DBUS_INVALID_DICT_ENTRY_STARTED_BUT_NOT_ENDED;
280 goto out;
281 }
282
283 _dbus_assert (last != DBUS_TYPE_ARRAY);
284 _dbus_assert (last != DBUS_STRUCT_BEGIN_CHAR);
285 _dbus_assert (last != DBUS_DICT_ENTRY_BEGIN_CHAR);
286
287 result = DBUS_VALID;
288
289 out:
290 _dbus_list_clear (&element_count_stack);
291 return result;
292 }
293
294 /* note: this function is also used to validate the header's values,
295 * since the header is a valid body with a particular signature.
296 */
297 static DBusValidity
validate_body_helper(DBusTypeReader * reader,int byte_order,dbus_bool_t walk_reader_to_end,int total_depth,const unsigned char * p,const unsigned char * end,const unsigned char ** new_p)298 validate_body_helper (DBusTypeReader *reader,
299 int byte_order,
300 dbus_bool_t walk_reader_to_end,
301 int total_depth,
302 const unsigned char *p,
303 const unsigned char *end,
304 const unsigned char **new_p)
305 {
306 int current_type;
307
308 /* The spec allows arrays and structs to each nest 32, for total
309 * nesting of 2*32. We want to impose the same limit on "dynamic"
310 * value nesting (not visible in the signature) which is introduced
311 * by DBUS_TYPE_VARIANT.
312 */
313 if (total_depth > (DBUS_MAXIMUM_TYPE_RECURSION_DEPTH * 2))
314 {
315 return DBUS_INVALID_NESTED_TOO_DEEPLY;
316 }
317
318 while ((current_type = _dbus_type_reader_get_current_type (reader)) != DBUS_TYPE_INVALID)
319 {
320 const unsigned char *a;
321 int alignment;
322
323 #if 0
324 _dbus_verbose (" validating value of type %s type reader %p type_pos %d p %p end %p %d remain\n",
325 _dbus_type_to_string (current_type), reader, reader->type_pos, p, end,
326 (int) (end - p));
327 #endif
328
329 /* Guarantee that p has one byte to look at */
330 if (p == end)
331 return DBUS_INVALID_NOT_ENOUGH_DATA;
332
333 switch (current_type)
334 {
335 case DBUS_TYPE_BYTE:
336 ++p;
337 break;
338
339 case DBUS_TYPE_BOOLEAN:
340 case DBUS_TYPE_INT16:
341 case DBUS_TYPE_UINT16:
342 case DBUS_TYPE_INT32:
343 case DBUS_TYPE_UINT32:
344 case DBUS_TYPE_UNIX_FD:
345 case DBUS_TYPE_INT64:
346 case DBUS_TYPE_UINT64:
347 case DBUS_TYPE_DOUBLE:
348 alignment = _dbus_type_get_alignment (current_type);
349 a = _DBUS_ALIGN_ADDRESS (p, alignment);
350 if (a >= end)
351 return DBUS_INVALID_NOT_ENOUGH_DATA;
352 while (p != a)
353 {
354 if (*p != '\0')
355 return DBUS_INVALID_ALIGNMENT_PADDING_NOT_NUL;
356 ++p;
357 }
358
359 if (current_type == DBUS_TYPE_BOOLEAN)
360 {
361 dbus_uint32_t v = _dbus_unpack_uint32 (byte_order,
362 p);
363 if (!(v == 0 || v == 1))
364 return DBUS_INVALID_BOOLEAN_NOT_ZERO_OR_ONE;
365 }
366
367 p += alignment;
368 break;
369
370 case DBUS_TYPE_ARRAY:
371 case DBUS_TYPE_STRING:
372 case DBUS_TYPE_OBJECT_PATH:
373 {
374 dbus_uint32_t claimed_len;
375
376 a = _DBUS_ALIGN_ADDRESS (p, 4);
377 if (a + 4 > end)
378 return DBUS_INVALID_NOT_ENOUGH_DATA;
379 while (p != a)
380 {
381 if (*p != '\0')
382 return DBUS_INVALID_ALIGNMENT_PADDING_NOT_NUL;
383 ++p;
384 }
385
386 claimed_len = _dbus_unpack_uint32 (byte_order, p);
387 p += 4;
388
389 /* p may now be == end */
390 _dbus_assert (p <= end);
391
392 if (current_type == DBUS_TYPE_ARRAY)
393 {
394 int array_elem_type = _dbus_type_reader_get_element_type (reader);
395
396 if (!dbus_type_is_valid (array_elem_type))
397 {
398 return DBUS_INVALID_UNKNOWN_TYPECODE;
399 }
400
401 alignment = _dbus_type_get_alignment (array_elem_type);
402
403 a = _DBUS_ALIGN_ADDRESS (p, alignment);
404
405 /* a may now be == end */
406 if (a > end)
407 return DBUS_INVALID_NOT_ENOUGH_DATA;
408
409 while (p != a)
410 {
411 if (*p != '\0')
412 return DBUS_INVALID_ALIGNMENT_PADDING_NOT_NUL;
413 ++p;
414 }
415 }
416
417 if (claimed_len > (unsigned long) (end - p))
418 return DBUS_INVALID_LENGTH_OUT_OF_BOUNDS;
419
420 if (current_type == DBUS_TYPE_OBJECT_PATH)
421 {
422 DBusString str;
423 _dbus_string_init_const_len (&str, p, claimed_len);
424 if (!_dbus_validate_path (&str, 0,
425 _dbus_string_get_length (&str)))
426 return DBUS_INVALID_BAD_PATH;
427
428 p += claimed_len;
429 }
430 else if (current_type == DBUS_TYPE_STRING)
431 {
432 DBusString str;
433 _dbus_string_init_const_len (&str, p, claimed_len);
434 if (!_dbus_string_validate_utf8 (&str, 0,
435 _dbus_string_get_length (&str)))
436 return DBUS_INVALID_BAD_UTF8_IN_STRING;
437
438 p += claimed_len;
439 }
440 else if (current_type == DBUS_TYPE_ARRAY && claimed_len > 0)
441 {
442 DBusTypeReader sub;
443 DBusValidity validity;
444 const unsigned char *array_end;
445 int array_elem_type;
446
447 if (claimed_len > DBUS_MAXIMUM_ARRAY_LENGTH)
448 return DBUS_INVALID_ARRAY_LENGTH_EXCEEDS_MAXIMUM;
449
450 /* Remember that the reader is types only, so we can't
451 * use it to iterate over elements. It stays the same
452 * for all elements.
453 */
454 _dbus_type_reader_recurse (reader, &sub);
455
456 array_end = p + claimed_len;
457
458 array_elem_type = _dbus_type_reader_get_element_type (reader);
459
460 /* avoid recursive call to validate_body_helper if this is an array
461 * of fixed-size elements
462 */
463 if (dbus_type_is_fixed (array_elem_type))
464 {
465 /* bools need to be handled differently, because they can
466 * have an invalid value
467 */
468 if (array_elem_type == DBUS_TYPE_BOOLEAN)
469 {
470 dbus_uint32_t v;
471 alignment = _dbus_type_get_alignment (array_elem_type);
472
473 while (p < array_end)
474 {
475 v = _dbus_unpack_uint32 (byte_order, p);
476
477 if (!(v == 0 || v == 1))
478 return DBUS_INVALID_BOOLEAN_NOT_ZERO_OR_ONE;
479
480 p += alignment;
481 }
482 }
483
484 else
485 {
486 p = array_end;
487 }
488 }
489
490 else
491 {
492 while (p < array_end)
493 {
494 validity = validate_body_helper (&sub, byte_order, FALSE,
495 total_depth + 1,
496 p, end, &p);
497 if (validity != DBUS_VALID)
498 return validity;
499 }
500 }
501
502 if (p != array_end)
503 return DBUS_INVALID_ARRAY_LENGTH_INCORRECT;
504 }
505
506 /* check nul termination */
507 if (current_type != DBUS_TYPE_ARRAY)
508 {
509 if (p == end)
510 return DBUS_INVALID_NOT_ENOUGH_DATA;
511
512 if (*p != '\0')
513 return DBUS_INVALID_STRING_MISSING_NUL;
514 ++p;
515 }
516 }
517 break;
518
519 case DBUS_TYPE_SIGNATURE:
520 {
521 dbus_uint32_t claimed_len;
522 DBusString str;
523 DBusValidity validity;
524
525 claimed_len = *p;
526 ++p;
527
528 /* 1 is for nul termination */
529 if (claimed_len + 1 > (unsigned long) (end - p))
530 return DBUS_INVALID_SIGNATURE_LENGTH_OUT_OF_BOUNDS;
531
532 _dbus_string_init_const_len (&str, p, claimed_len);
533 validity =
534 _dbus_validate_signature_with_reason (&str, 0,
535 _dbus_string_get_length (&str));
536
537 if (validity != DBUS_VALID)
538 return validity;
539
540 p += claimed_len;
541
542 _dbus_assert (p < end);
543 if (*p != DBUS_TYPE_INVALID)
544 return DBUS_INVALID_SIGNATURE_MISSING_NUL;
545
546 ++p;
547
548 _dbus_verbose ("p = %p end = %p claimed_len %u\n", p, end, claimed_len);
549 }
550 break;
551
552 case DBUS_TYPE_VARIANT:
553 {
554 /* 1 byte sig len, sig typecodes, align to
555 * contained-type-boundary, values.
556 */
557
558 /* In addition to normal signature validation, we need to be sure
559 * the signature contains only a single (possibly container) type.
560 */
561 dbus_uint32_t claimed_len;
562 DBusString sig;
563 DBusTypeReader sub;
564 DBusValidity validity;
565 int contained_alignment;
566 int contained_type;
567 DBusValidity reason;
568
569 claimed_len = *p;
570 ++p;
571
572 /* + 1 for nul */
573 if (claimed_len + 1 > (unsigned long) (end - p))
574 return DBUS_INVALID_VARIANT_SIGNATURE_LENGTH_OUT_OF_BOUNDS;
575
576 _dbus_string_init_const_len (&sig, p, claimed_len);
577 reason = _dbus_validate_signature_with_reason (&sig, 0,
578 _dbus_string_get_length (&sig));
579 if (!(reason == DBUS_VALID))
580 {
581 if (reason == DBUS_VALIDITY_UNKNOWN_OOM_ERROR)
582 return reason;
583 else
584 return DBUS_INVALID_VARIANT_SIGNATURE_BAD;
585 }
586
587 p += claimed_len;
588
589 if (*p != DBUS_TYPE_INVALID)
590 return DBUS_INVALID_VARIANT_SIGNATURE_MISSING_NUL;
591 ++p;
592
593 contained_type = _dbus_first_type_in_signature (&sig, 0);
594 if (contained_type == DBUS_TYPE_INVALID)
595 return DBUS_INVALID_VARIANT_SIGNATURE_EMPTY;
596
597 contained_alignment = _dbus_type_get_alignment (contained_type);
598
599 a = _DBUS_ALIGN_ADDRESS (p, contained_alignment);
600 if (a > end)
601 return DBUS_INVALID_NOT_ENOUGH_DATA;
602 while (p != a)
603 {
604 if (*p != '\0')
605 return DBUS_INVALID_ALIGNMENT_PADDING_NOT_NUL;
606 ++p;
607 }
608
609 _dbus_type_reader_init_types_only (&sub, &sig, 0);
610
611 _dbus_assert (_dbus_type_reader_get_current_type (&sub) != DBUS_TYPE_INVALID);
612
613 validity = validate_body_helper (&sub, byte_order, FALSE,
614 total_depth + 1,
615 p, end, &p);
616 if (validity != DBUS_VALID)
617 return validity;
618
619 if (_dbus_type_reader_next (&sub))
620 return DBUS_INVALID_VARIANT_SIGNATURE_SPECIFIES_MULTIPLE_VALUES;
621
622 _dbus_assert (_dbus_type_reader_get_current_type (&sub) == DBUS_TYPE_INVALID);
623 }
624 break;
625
626 case DBUS_TYPE_DICT_ENTRY:
627 case DBUS_TYPE_STRUCT:
628 {
629 DBusTypeReader sub;
630 DBusValidity validity;
631
632 a = _DBUS_ALIGN_ADDRESS (p, 8);
633 if (a > end)
634 return DBUS_INVALID_NOT_ENOUGH_DATA;
635 while (p != a)
636 {
637 if (*p != '\0')
638 return DBUS_INVALID_ALIGNMENT_PADDING_NOT_NUL;
639 ++p;
640 }
641
642 _dbus_type_reader_recurse (reader, &sub);
643
644 validity = validate_body_helper (&sub, byte_order, TRUE,
645 total_depth + 1,
646 p, end, &p);
647 if (validity != DBUS_VALID)
648 return validity;
649 }
650 break;
651
652 default:
653 _dbus_assert_not_reached ("invalid typecode in supposedly-validated signature");
654 break;
655 }
656
657 #if 0
658 _dbus_verbose (" validated value of type %s type reader %p type_pos %d p %p end %p %d remain\n",
659 _dbus_type_to_string (current_type), reader, reader->type_pos, p, end,
660 (int) (end - p));
661 #endif
662
663 if (p > end)
664 {
665 _dbus_verbose ("not enough data!!! p = %p end = %p end-p = %d\n",
666 p, end, (int) (end - p));
667 return DBUS_INVALID_NOT_ENOUGH_DATA;
668 }
669
670 if (walk_reader_to_end)
671 _dbus_type_reader_next (reader);
672 else
673 break;
674 }
675
676 if (new_p)
677 *new_p = p;
678
679 return DBUS_VALID;
680 }
681
682 /**
683 * Verifies that the range of value_str from value_pos to value_end is
684 * a legitimate value of type expected_signature. If this function
685 * returns #TRUE, it will be safe to iterate over the values with
686 * #DBusTypeReader. The signature is assumed to be already valid.
687 *
688 * If bytes_remaining is not #NULL, then leftover bytes will be stored
689 * there and #DBUS_VALID returned. If it is #NULL, then
690 * #DBUS_INVALID_TOO_MUCH_DATA will be returned if bytes are left
691 * over.
692 *
693 * @param expected_signature the expected types in the value_str
694 * @param expected_signature_start where in expected_signature is the signature
695 * @param byte_order the byte order
696 * @param bytes_remaining place to store leftover bytes
697 * @param value_str the string containing the body
698 * @param value_pos where the values start
699 * @param len length of values after value_pos
700 * @returns #DBUS_VALID if valid, reason why invalid otherwise
701 */
702 DBusValidity
_dbus_validate_body_with_reason(const DBusString * expected_signature,int expected_signature_start,int byte_order,int * bytes_remaining,const DBusString * value_str,int value_pos,int len)703 _dbus_validate_body_with_reason (const DBusString *expected_signature,
704 int expected_signature_start,
705 int byte_order,
706 int *bytes_remaining,
707 const DBusString *value_str,
708 int value_pos,
709 int len)
710 {
711 DBusTypeReader reader;
712 const unsigned char *p;
713 const unsigned char *end;
714 DBusValidity validity;
715
716 _dbus_assert (len >= 0);
717 _dbus_assert (value_pos >= 0);
718 _dbus_assert (value_pos <= _dbus_string_get_length (value_str) - len);
719
720 _dbus_verbose ("validating body from pos %d len %d sig '%s'\n",
721 value_pos, len, _dbus_string_get_const_data_len (expected_signature,
722 expected_signature_start,
723 0));
724
725 _dbus_type_reader_init_types_only (&reader,
726 expected_signature, expected_signature_start);
727
728 p = _dbus_string_get_const_data_len (value_str, value_pos, len);
729 end = p + len;
730
731 validity = validate_body_helper (&reader, byte_order, TRUE, 0, p, end, &p);
732 if (validity != DBUS_VALID)
733 return validity;
734
735 if (bytes_remaining)
736 {
737 *bytes_remaining = end - p;
738 return DBUS_VALID;
739 }
740 else if (p < end)
741 return DBUS_INVALID_TOO_MUCH_DATA;
742 else
743 {
744 _dbus_assert (p == end);
745 return DBUS_VALID;
746 }
747 }
748
749 /**
750 * Determine wether the given character is valid as the first character
751 * in a name.
752 */
753 #define VALID_INITIAL_NAME_CHARACTER(c) \
754 ( ((c) >= 'A' && (c) <= 'Z') || \
755 ((c) >= 'a' && (c) <= 'z') || \
756 ((c) == '_') )
757
758 /**
759 * Determine wether the given character is valid as a second or later
760 * character in a name
761 */
762 #define VALID_NAME_CHARACTER(c) \
763 ( ((c) >= '0' && (c) <= '9') || \
764 ((c) >= 'A' && (c) <= 'Z') || \
765 ((c) >= 'a' && (c) <= 'z') || \
766 ((c) == '_') )
767
768 /**
769 * Checks that the given range of the string is a valid object path
770 * name in the D-Bus protocol. Part of the validation ensures that
771 * the object path contains only ASCII.
772 *
773 * @todo this is inconsistent with most of DBusString in that
774 * it allows a start,len range that extends past the string end.
775 *
776 * @todo change spec to disallow more things, such as spaces in the
777 * path name
778 *
779 * @param str the string
780 * @param start first byte index to check
781 * @param len number of bytes to check
782 * @returns #TRUE if the byte range exists and is a valid name
783 */
784 dbus_bool_t
_dbus_validate_path(const DBusString * str,int start,int len)785 _dbus_validate_path (const DBusString *str,
786 int start,
787 int len)
788 {
789 const unsigned char *s;
790 const unsigned char *end;
791 const unsigned char *last_slash;
792
793 _dbus_assert (start >= 0);
794 _dbus_assert (len >= 0);
795 _dbus_assert (start <= _dbus_string_get_length (str));
796
797 if (len > _dbus_string_get_length (str) - start)
798 return FALSE;
799
800 if (len == 0)
801 return FALSE;
802
803 s = _dbus_string_get_const_data (str) + start;
804 end = s + len;
805
806 if (*s != '/')
807 return FALSE;
808 last_slash = s;
809 ++s;
810
811 while (s != end)
812 {
813 if (*s == '/')
814 {
815 if ((s - last_slash) < 2)
816 return FALSE; /* no empty path components allowed */
817
818 last_slash = s;
819 }
820 else
821 {
822 if (_DBUS_UNLIKELY (!VALID_NAME_CHARACTER (*s)))
823 return FALSE;
824 }
825
826 ++s;
827 }
828
829 if ((end - last_slash) < 2 &&
830 len > 1)
831 return FALSE; /* trailing slash not allowed unless the string is "/" */
832
833 return TRUE;
834 }
835
836 const char *
_dbus_validity_to_error_message(DBusValidity validity)837 _dbus_validity_to_error_message (DBusValidity validity)
838 {
839 switch (validity)
840 {
841 case DBUS_VALIDITY_UNKNOWN_OOM_ERROR: return "Out of memory";
842 case DBUS_INVALID_FOR_UNKNOWN_REASON: return "Unknown reason";
843 case DBUS_VALID_BUT_INCOMPLETE: return "Valid but incomplete";
844 case DBUS_VALIDITY_UNKNOWN: return "Validity unknown";
845 case DBUS_VALID: return "Valid";
846 case DBUS_INVALID_UNKNOWN_TYPECODE: return "Unknown typecode";
847 case DBUS_INVALID_MISSING_ARRAY_ELEMENT_TYPE: return "Missing array element type";
848 case DBUS_INVALID_SIGNATURE_TOO_LONG: return "Signature is too long";
849 case DBUS_INVALID_EXCEEDED_MAXIMUM_ARRAY_RECURSION: return "Exceeded maximum array recursion";
850 case DBUS_INVALID_EXCEEDED_MAXIMUM_STRUCT_RECURSION: return "Exceeded maximum struct recursion";
851 case DBUS_INVALID_STRUCT_ENDED_BUT_NOT_STARTED: return "Struct ended but not started";
852 case DBUS_INVALID_STRUCT_STARTED_BUT_NOT_ENDED: return "Struct started but not ended";
853 case DBUS_INVALID_STRUCT_HAS_NO_FIELDS: return "Struct has no fields";
854 case DBUS_INVALID_ALIGNMENT_PADDING_NOT_NUL: return "Alignment padding not null";
855 case DBUS_INVALID_BOOLEAN_NOT_ZERO_OR_ONE: return "Boolean is not zero or one";
856 case DBUS_INVALID_NOT_ENOUGH_DATA: return "Not enough data";
857 case DBUS_INVALID_TOO_MUCH_DATA: return "Too much data";
858 case DBUS_INVALID_BAD_BYTE_ORDER: return "Bad byte order";
859 case DBUS_INVALID_BAD_PROTOCOL_VERSION: return "Bad protocol version";
860 case DBUS_INVALID_BAD_MESSAGE_TYPE: return "Bad message type";
861 case DBUS_INVALID_BAD_SERIAL: return "Bad serial";
862 case DBUS_INVALID_INSANE_FIELDS_ARRAY_LENGTH: return "Insane fields array length";
863 case DBUS_INVALID_INSANE_BODY_LENGTH: return "Insane body length";
864 case DBUS_INVALID_MESSAGE_TOO_LONG: return "Message too long";
865 case DBUS_INVALID_HEADER_FIELD_CODE: return "Header field code";
866 case DBUS_INVALID_HEADER_FIELD_HAS_WRONG_TYPE: return "Header field has wrong type";
867 case DBUS_INVALID_USES_LOCAL_INTERFACE: return "Uses local interface";
868 case DBUS_INVALID_USES_LOCAL_PATH: return "Uses local path";
869 case DBUS_INVALID_HEADER_FIELD_APPEARS_TWICE: return "Header field appears twice";
870 case DBUS_INVALID_BAD_DESTINATION: return "Bad destination";
871 case DBUS_INVALID_BAD_INTERFACE: return "Bad interface";
872 case DBUS_INVALID_BAD_MEMBER: return "Bad member";
873 case DBUS_INVALID_BAD_ERROR_NAME: return "Bad error name";
874 case DBUS_INVALID_BAD_SENDER: return "Bad sender";
875 case DBUS_INVALID_MISSING_PATH: return "Missing path";
876 case DBUS_INVALID_MISSING_INTERFACE: return "Missing interface";
877 case DBUS_INVALID_MISSING_MEMBER: return "Missing member";
878 case DBUS_INVALID_MISSING_ERROR_NAME: return "Missing error name";
879 case DBUS_INVALID_MISSING_REPLY_SERIAL: return "Missing reply serial";
880 case DBUS_INVALID_LENGTH_OUT_OF_BOUNDS: return "Length out of bounds";
881 case DBUS_INVALID_ARRAY_LENGTH_EXCEEDS_MAXIMUM: return "Array length exceeds maximum";
882 case DBUS_INVALID_BAD_PATH: return "Bad path";
883 case DBUS_INVALID_SIGNATURE_LENGTH_OUT_OF_BOUNDS: return "Signature length out of bounds";
884 case DBUS_INVALID_BAD_UTF8_IN_STRING: return "Bad utf8 in string";
885 case DBUS_INVALID_ARRAY_LENGTH_INCORRECT: return "Array length incorrect";
886 case DBUS_INVALID_VARIANT_SIGNATURE_LENGTH_OUT_OF_BOUNDS: return "Variant signature length out of bounds";
887 case DBUS_INVALID_VARIANT_SIGNATURE_BAD: return "Variant signature bad";
888 case DBUS_INVALID_VARIANT_SIGNATURE_EMPTY: return "Variant signature empty";
889 case DBUS_INVALID_VARIANT_SIGNATURE_SPECIFIES_MULTIPLE_VALUES: return "Variant signature specifies multiple values";
890 case DBUS_INVALID_VARIANT_SIGNATURE_MISSING_NUL: return "Variant signature missing nul";
891 case DBUS_INVALID_STRING_MISSING_NUL: return "String missing nul";
892 case DBUS_INVALID_SIGNATURE_MISSING_NUL: return "Signature missing nul";
893 case DBUS_INVALID_EXCEEDED_MAXIMUM_DICT_ENTRY_RECURSION: return "Exceeded maximum dict entry recursion";
894 case DBUS_INVALID_DICT_ENTRY_ENDED_BUT_NOT_STARTED: return "Dict entry ended but not started";
895 case DBUS_INVALID_DICT_ENTRY_STARTED_BUT_NOT_ENDED: return "Dict entry started but not ended";
896 case DBUS_INVALID_DICT_ENTRY_HAS_NO_FIELDS: return "Dict entry has no fields";
897 case DBUS_INVALID_DICT_ENTRY_HAS_ONLY_ONE_FIELD: return "Dict entry has only one field";
898 case DBUS_INVALID_DICT_ENTRY_HAS_TOO_MANY_FIELDS: return "Dict entry has too many fields";
899 case DBUS_INVALID_DICT_ENTRY_NOT_INSIDE_ARRAY: return "Dict entry not inside array";
900 case DBUS_INVALID_DICT_KEY_MUST_BE_BASIC_TYPE: return "Dict key must be basic type";
901 case DBUS_INVALID_NESTED_TOO_DEEPLY: return "Variants cannot be used to create a hugely recursive tree of values";
902 default:
903 return "Invalid";
904 }
905 }
906
907 /**
908 * Checks that the given range of the string is a valid interface name
909 * in the D-Bus protocol. This includes a length restriction and an
910 * ASCII subset, see the specification.
911 *
912 * @todo this is inconsistent with most of DBusString in that
913 * it allows a start,len range that extends past the string end.
914 *
915 * @param str the string
916 * @param start first byte index to check
917 * @param len number of bytes to check
918 * @returns #TRUE if the byte range exists and is a valid name
919 */
920 dbus_bool_t
_dbus_validate_interface(const DBusString * str,int start,int len)921 _dbus_validate_interface (const DBusString *str,
922 int start,
923 int len)
924 {
925 const unsigned char *s;
926 const unsigned char *end;
927 const unsigned char *iface;
928 const unsigned char *last_dot;
929
930 _dbus_assert (start >= 0);
931 _dbus_assert (len >= 0);
932 _dbus_assert (start <= _dbus_string_get_length (str));
933
934 if (len > _dbus_string_get_length (str) - start)
935 return FALSE;
936
937 if (len > DBUS_MAXIMUM_NAME_LENGTH)
938 return FALSE;
939
940 if (len == 0)
941 return FALSE;
942
943 last_dot = NULL;
944 iface = _dbus_string_get_const_data (str) + start;
945 end = iface + len;
946 s = iface;
947
948 /* check special cases of first char so it doesn't have to be done
949 * in the loop. Note we know len > 0
950 */
951 if (_DBUS_UNLIKELY (*s == '.')) /* disallow starting with a . */
952 return FALSE;
953 else if (_DBUS_UNLIKELY (!VALID_INITIAL_NAME_CHARACTER (*s)))
954 return FALSE;
955 else
956 ++s;
957
958 while (s != end)
959 {
960 if (*s == '.')
961 {
962 if (_DBUS_UNLIKELY ((s + 1) == end))
963 return FALSE;
964 else if (_DBUS_UNLIKELY (!VALID_INITIAL_NAME_CHARACTER (*(s + 1))))
965 return FALSE;
966 last_dot = s;
967 ++s; /* we just validated the next char, so skip two */
968 }
969 else if (_DBUS_UNLIKELY (!VALID_NAME_CHARACTER (*s)))
970 {
971 return FALSE;
972 }
973
974 ++s;
975 }
976
977 if (_DBUS_UNLIKELY (last_dot == NULL))
978 return FALSE;
979
980 return TRUE;
981 }
982
983 /**
984 * Checks that the given range of the string is a valid member name
985 * in the D-Bus protocol. This includes a length restriction, etc.,
986 * see the specification.
987 *
988 * @todo this is inconsistent with most of DBusString in that
989 * it allows a start,len range that extends past the string end.
990 *
991 * @param str the string
992 * @param start first byte index to check
993 * @param len number of bytes to check
994 * @returns #TRUE if the byte range exists and is a valid name
995 */
996 dbus_bool_t
_dbus_validate_member(const DBusString * str,int start,int len)997 _dbus_validate_member (const DBusString *str,
998 int start,
999 int len)
1000 {
1001 const unsigned char *s;
1002 const unsigned char *end;
1003 const unsigned char *member;
1004
1005 _dbus_assert (start >= 0);
1006 _dbus_assert (len >= 0);
1007 _dbus_assert (start <= _dbus_string_get_length (str));
1008
1009 if (len > _dbus_string_get_length (str) - start)
1010 return FALSE;
1011
1012 if (len > DBUS_MAXIMUM_NAME_LENGTH)
1013 return FALSE;
1014
1015 if (len == 0)
1016 return FALSE;
1017
1018 member = _dbus_string_get_const_data (str) + start;
1019 end = member + len;
1020 s = member;
1021
1022 /* check special cases of first char so it doesn't have to be done
1023 * in the loop. Note we know len > 0
1024 */
1025
1026 if (_DBUS_UNLIKELY (!VALID_INITIAL_NAME_CHARACTER (*s)))
1027 return FALSE;
1028 else
1029 ++s;
1030
1031 while (s != end)
1032 {
1033 if (_DBUS_UNLIKELY (!VALID_NAME_CHARACTER (*s)))
1034 {
1035 return FALSE;
1036 }
1037
1038 ++s;
1039 }
1040
1041 return TRUE;
1042 }
1043
1044 /**
1045 * Checks that the given range of the string is a valid error name
1046 * in the D-Bus protocol. This includes a length restriction, etc.,
1047 * see the specification.
1048 *
1049 * @todo this is inconsistent with most of DBusString in that
1050 * it allows a start,len range that extends past the string end.
1051 *
1052 * @param str the string
1053 * @param start first byte index to check
1054 * @param len number of bytes to check
1055 * @returns #TRUE if the byte range exists and is a valid name
1056 */
1057 dbus_bool_t
_dbus_validate_error_name(const DBusString * str,int start,int len)1058 _dbus_validate_error_name (const DBusString *str,
1059 int start,
1060 int len)
1061 {
1062 /* Same restrictions as interface name at the moment */
1063 return _dbus_validate_interface (str, start, len);
1064 }
1065
1066 /**
1067 * Determine wether the given character is valid as the first character
1068 * in a bus name.
1069 */
1070 #define VALID_INITIAL_BUS_NAME_CHARACTER(c) \
1071 ( ((c) >= 'A' && (c) <= 'Z') || \
1072 ((c) >= 'a' && (c) <= 'z') || \
1073 ((c) == '_') || ((c) == '-'))
1074
1075 /**
1076 * Determine wether the given character is valid as a second or later
1077 * character in a bus name
1078 */
1079 #define VALID_BUS_NAME_CHARACTER(c) \
1080 ( ((c) >= '0' && (c) <= '9') || \
1081 ((c) >= 'A' && (c) <= 'Z') || \
1082 ((c) >= 'a' && (c) <= 'z') || \
1083 ((c) == '_') || ((c) == '-'))
1084
1085 static dbus_bool_t
_dbus_validate_bus_name_full(const DBusString * str,int start,int len,dbus_bool_t is_namespace)1086 _dbus_validate_bus_name_full (const DBusString *str,
1087 int start,
1088 int len,
1089 dbus_bool_t is_namespace)
1090 {
1091 const unsigned char *s;
1092 const unsigned char *end;
1093 const unsigned char *iface;
1094 const unsigned char *last_dot;
1095
1096 _dbus_assert (start >= 0);
1097 _dbus_assert (len >= 0);
1098 _dbus_assert (start <= _dbus_string_get_length (str));
1099
1100 if (len > _dbus_string_get_length (str) - start)
1101 return FALSE;
1102
1103 if (len > DBUS_MAXIMUM_NAME_LENGTH)
1104 return FALSE;
1105
1106 if (len == 0)
1107 return FALSE;
1108
1109 last_dot = NULL;
1110 iface = _dbus_string_get_const_data (str) + start;
1111 end = iface + len;
1112 s = iface;
1113
1114 /* check special cases of first char so it doesn't have to be done
1115 * in the loop. Note we know len > 0
1116 */
1117 if (*s == ':')
1118 {
1119 /* unique name */
1120 ++s;
1121 while (s != end)
1122 {
1123 if (*s == '.')
1124 {
1125 if (_DBUS_UNLIKELY ((s + 1) == end))
1126 return FALSE;
1127 if (_DBUS_UNLIKELY (!VALID_BUS_NAME_CHARACTER (*(s + 1))))
1128 return FALSE;
1129 ++s; /* we just validated the next char, so skip two */
1130 }
1131 else if (_DBUS_UNLIKELY (!VALID_BUS_NAME_CHARACTER (*s)))
1132 {
1133 return FALSE;
1134 }
1135
1136 ++s;
1137 }
1138
1139 return TRUE;
1140 }
1141 else if (_DBUS_UNLIKELY (*s == '.')) /* disallow starting with a . */
1142 return FALSE;
1143 else if (_DBUS_UNLIKELY (!VALID_INITIAL_BUS_NAME_CHARACTER (*s)))
1144 return FALSE;
1145 else
1146 ++s;
1147
1148 while (s != end)
1149 {
1150 if (*s == '.')
1151 {
1152 if (_DBUS_UNLIKELY ((s + 1) == end))
1153 return FALSE;
1154 else if (_DBUS_UNLIKELY (!VALID_INITIAL_BUS_NAME_CHARACTER (*(s + 1))))
1155 return FALSE;
1156 last_dot = s;
1157 ++s; /* we just validated the next char, so skip two */
1158 }
1159 else if (_DBUS_UNLIKELY (!VALID_BUS_NAME_CHARACTER (*s)))
1160 {
1161 return FALSE;
1162 }
1163
1164 ++s;
1165 }
1166
1167 if (!is_namespace && _DBUS_UNLIKELY (last_dot == NULL))
1168 return FALSE;
1169
1170 return TRUE;
1171 }
1172
1173 /**
1174 * Checks that the given range of the string is a valid bus name in
1175 * the D-Bus protocol. This includes a length restriction, etc., see
1176 * the specification.
1177 *
1178 * @todo this is inconsistent with most of DBusString in that
1179 * it allows a start,len range that extends past the string end.
1180 *
1181 * @param str the string
1182 * @param start first byte index to check
1183 * @param len number of bytes to check
1184 * @returns #TRUE if the byte range exists and is a valid name
1185 */
1186 dbus_bool_t
_dbus_validate_bus_name(const DBusString * str,int start,int len)1187 _dbus_validate_bus_name (const DBusString *str,
1188 int start,
1189 int len)
1190 {
1191 return _dbus_validate_bus_name_full (str, start, len, FALSE);
1192 }
1193
1194 /**
1195 * Checks that the given range of the string is a prefix of a valid bus name in
1196 * the D-Bus protocol. Unlike _dbus_validate_bus_name(), this accepts strings
1197 * with only one period-separated component.
1198 *
1199 * @todo this is inconsistent with most of DBusString in that
1200 * it allows a start,len range that extends past the string end.
1201 *
1202 * @param str the string
1203 * @param start first byte index to check
1204 * @param len number of bytes to check
1205 * @returns #TRUE if the byte range exists and is a valid name
1206 */
1207 dbus_bool_t
_dbus_validate_bus_namespace(const DBusString * str,int start,int len)1208 _dbus_validate_bus_namespace (const DBusString *str,
1209 int start,
1210 int len)
1211 {
1212 return _dbus_validate_bus_name_full (str, start, len, TRUE);
1213 }
1214
1215 /**
1216 * Checks that the given range of the string is a valid message type
1217 * signature in the D-Bus protocol.
1218 *
1219 * @todo this is inconsistent with most of DBusString in that
1220 * it allows a start,len range that extends past the string end.
1221 *
1222 * @param str the string
1223 * @param start first byte index to check
1224 * @param len number of bytes to check
1225 * @returns #TRUE if the byte range exists and is a valid signature
1226 */
1227 dbus_bool_t
_dbus_validate_signature(const DBusString * str,int start,int len)1228 _dbus_validate_signature (const DBusString *str,
1229 int start,
1230 int len)
1231 {
1232 _dbus_assert (start >= 0);
1233 _dbus_assert (start <= _dbus_string_get_length (str));
1234 _dbus_assert (len >= 0);
1235
1236 if (len > _dbus_string_get_length (str) - start)
1237 return FALSE;
1238
1239 return _dbus_validate_signature_with_reason (str, start, len) == DBUS_VALID;
1240 }
1241
1242 /** define _dbus_check_is_valid_path() */
1243 DEFINE_DBUS_NAME_CHECK(path)
1244 /** define _dbus_check_is_valid_interface() */
1245 DEFINE_DBUS_NAME_CHECK(interface)
1246 /** define _dbus_check_is_valid_member() */
1247 DEFINE_DBUS_NAME_CHECK(member)
1248 /** define _dbus_check_is_valid_error_name() */
1249 DEFINE_DBUS_NAME_CHECK(error_name)
1250 /** define _dbus_check_is_valid_bus_name() */
1251 DEFINE_DBUS_NAME_CHECK(bus_name)
1252 /** define _dbus_check_is_valid_signature() */
1253 DEFINE_DBUS_NAME_CHECK(signature)
1254 /** define _dbus_check_is_valid_utf8() */
1255 DEFINE_DBUS_NAME_CHECK(utf8)
1256
1257 /** @} */
1258
1259 /* tests in dbus-marshal-validate-util.c */
1260