Use correct parameters when calling l_dbus_message_iter_get_fixed_array().
Also, check the return value and the length of the processed array and
return an error if the checks fail.
---
mesh/mesh.c | 11 ++++-------
mesh/node.c | 26 +++++++++++++-------------
2 files changed, 17 insertions(+), 20 deletions(-)
diff --git a/mesh/mesh.c b/mesh/mesh.c
index 8db83b7c3..a0a9a7c8e 100644
--- a/mesh/mesh.c
+++ b/mesh/mesh.c
@@ -73,7 +73,7 @@ struct join_data{
const char *app_path;
struct mesh_node *node;
uint32_t disc_watch;
- uint8_t uuid[16];
+ uint8_t *uuid;
};
struct attach_data {
@@ -561,7 +561,6 @@ static struct l_dbus_message *join_network_call(struct l_dbus *dbus,
{
const char *app_path, *sender;
struct l_dbus_message_iter iter_uuid;
- uint8_t *uuid;
uint32_t n;
l_debug("Join network request");
@@ -576,17 +575,15 @@ static struct l_dbus_message *join_network_call(struct l_dbus *dbus,
join_pending = l_new(struct join_data, 1);
- l_dbus_message_iter_get_fixed_array(&iter_uuid, &uuid, &n);
-
- if (n != 16) {
+ if (!l_dbus_message_iter_get_fixed_array(&iter_uuid,
+ &join_pending->uuid, &n)
+ || n != 16) {
l_free(join_pending);
join_pending = NULL;
return dbus_error(msg, MESH_ERROR_INVALID_ARGS,
"Bad device UUID");
}
- memcpy(join_pending->uuid, uuid, 16);
-
sender = l_dbus_message_get_sender(msg);
join_pending->sender = l_strdup(sender);
diff --git a/mesh/node.c b/mesh/node.c
index 6a7b4a260..761a67af4 100644
--- a/mesh/node.c
+++ b/mesh/node.c
@@ -1537,7 +1537,7 @@ static struct l_dbus_message *send_call(struct l_dbus *dbus,
struct l_dbus_message_iter iter_data;
struct node_element *ele;
uint16_t dst, app_idx, src;
- uint8_t data[MESH_MAX_ACCESS_PAYLOAD];
+ uint8_t *data;
uint32_t len;
struct l_dbus_message *reply;
@@ -1559,10 +1559,10 @@ static struct l_dbus_message *send_call(struct l_dbus *dbus,
src = node_get_primary(node) + ele->idx;
- l_dbus_message_iter_get_fixed_array(&iter_data, data, &len);
- if (!len)
+ if (!l_dbus_message_iter_get_fixed_array(&iter_data, &data, &len) ||
+ !len || len > MESH_MAX_ACCESS_PAYLOAD)
return dbus_error(msg, MESH_ERROR_INVALID_ARGS,
- "Mesh message is empty");
+ "Incorrect data");
if (!mesh_model_send(node, src, dst, app_idx,
mesh_net_get_default_ttl(node->net), data, len))
@@ -1583,7 +1583,7 @@ static struct l_dbus_message *publish_call(struct l_dbus *dbus,
struct l_dbus_message_iter iter_data;
uint16_t mod_id, src;
struct node_element *ele;
- uint8_t data[MESH_MAX_ACCESS_PAYLOAD];
+ uint8_t *data;
uint32_t len;
struct l_dbus_message *reply;
int result;
@@ -1606,10 +1606,10 @@ static struct l_dbus_message *publish_call(struct l_dbus *dbus,
src = node_get_primary(node) + ele->idx;
- l_dbus_message_iter_get_fixed_array(&iter_data, data, &len);
- if (!len)
+ if (!l_dbus_message_iter_get_fixed_array(&iter_data, &data, &len) ||
+ !len || len > MESH_MAX_ACCESS_PAYLOAD)
return dbus_error(msg, MESH_ERROR_INVALID_ARGS,
- "Mesh message is empty");
+ "Incorrect data");
result = mesh_model_publish(node, VENDOR_ID_MASK | mod_id, src,
mesh_net_get_default_ttl(node->net), data, len);
@@ -1634,7 +1634,7 @@ static struct l_dbus_message *vendor_publish_call(struct l_dbus *dbus,
uint16_t model_id, vendor;
uint32_t vendor_mod_id;
struct node_element *ele;
- uint8_t data[MESH_MAX_ACCESS_PAYLOAD];
+ uint8_t *data = NULL;
uint32_t len;
struct l_dbus_message *reply;
int result;
@@ -1657,10 +1657,10 @@ static struct l_dbus_message *vendor_publish_call(struct l_dbus *dbus,
src = node_get_primary(node) + ele->idx;
- l_dbus_message_iter_get_fixed_array(&iter_data, data, &len);
- if (!len)
+ if (!l_dbus_message_iter_get_fixed_array(&iter_data, &data, &len) ||
+ !len || len > MESH_MAX_ACCESS_PAYLOAD)
return dbus_error(msg, MESH_ERROR_INVALID_ARGS,
- "Mesh message is empty");
+ "Incorrect data");
vendor_mod_id = (vendor << 16) | model_id;
result = mesh_model_publish(node, vendor_mod_id, src,
@@ -1686,7 +1686,7 @@ static void setup_node_interface(struct l_dbus_interface *iface)
"", "oqqay", "element_path",
"vendor", "model_id", "data");
- /*TODO: Properties */
+ /* TODO: Properties */
}
bool node_dbus_init(struct l_dbus *bus)
--
2.17.2
