commit cb6da48bebca9e663451b208ce25e1f80ee1b496
author Sivanagaraju S <quic_sivanaga@quicinc.com> Wed Dec 14 11:30:28 2022 +0530
committer Sivanagaraju S <quic_sivanaga@quicinc.com> Tue Dec 27 13:12:27 2022 +0530
tree 18e6baec0c046df3ee93dd705ed85dfac3c87021
parent fc852cd9fdcdc2fbac6da7eba4cadbc9615fd653

agm: service: Add size limit for GKV and CKV num

Add a max limit check for number of GKV and CKV.

Change-Id: Iedb5f4a5521abcf09cd1c3a071cced8717ac8418

service/src/metadata.c

diff --git a/service/src/metadata.c b/service/src/metadata.c
index 047f5e0..bcf0d51 100644
--- a/service/src/metadata.c
+++ b/service/src/metadata.c
@@ -71,7 +71,7 @@
 #define NUM_PROPS(x)                    *((uint32_t *) PTR_TO_NUM_PROPS(x))
 #define PTR_TO_PROPS(x)                 (PTR_TO_NUM_PROPS(x) + sizeof(uint32_t))
 
-#define MAX_KVPAIR 48
+#define MAX_KVPAIR_PROPS 48
 
 void metadata_print(struct agm_meta_data_gsl* metadata)
 {
@@ -203,9 +203,10 @@
     }
     va_end(valist);
 
-    if ((merged->gkv.num_kvs > MAX_KVPAIR) || (merged->ckv.num_kvs > MAX_KVPAIR)) {
-        AGM_LOGE("Num GKVs %d Num CKVs %d more than expected: %d", merged->gkv.num_kvs,
-                                                      merged->ckv.num_kvs, MAX_KVPAIR);
+    if ((merged->gkv.num_kvs > MAX_KVPAIR_PROPS) || (merged->ckv.num_kvs > MAX_KVPAIR_PROPS)
+                                             || (merged->sg_props.num_values > MAX_KVPAIR_PROPS)) {
+        AGM_LOGE("Num GKVs %d Num CKVs %d Num Props %d more than expected: %d", merged->gkv.num_kvs,
+                                merged->ckv.num_kvs, merged->sg_props.num_values, MAX_KVPAIR_PROPS);
         free(merged);
         return NULL;
     }
@@ -281,12 +282,6 @@
         AGM_LOGI("NULL metadata passed, ignoring\n");
         goto done;
     }
-    if ((NUM_GKV(metadata) > MAX_KVPAIR) || (NUM_CKV(metadata) > MAX_KVPAIR)) {
-        AGM_LOGE("Num GKVs %d Num CKVs %d more than expected: %d", NUM_GKV(metadata),
-                                                      NUM_CKV(metadata), MAX_KVPAIR);
-        ret = -EINVAL;
-        return ret;
-    }
 
     min_req_len += sizeof(uint32_t);
     if (size < min_req_len) {
@@ -297,6 +292,11 @@
     }
 
     dest->gkv.num_kvs = NUM_GKV(metadata);
+    if (dest->gkv.num_kvs > MAX_KVPAIR_PROPS) {
+        AGM_LOGE("Num GKVs %d more than expected: %d",dest->gkv.num_kvs, MAX_KVPAIR_PROPS);
+        ret = -EINVAL;
+        goto free_metadata;
+    }
     dest->gkv.kv =  calloc(dest->gkv.num_kvs, sizeof(struct agm_key_value));
     if (!dest->gkv.kv) {
         AGM_LOGE("Memory allocation failed to copy GKV\n");
@@ -318,6 +318,11 @@
         goto done;
     }
     dest->ckv.num_kvs = NUM_CKV(metadata);
+    if (dest->ckv.num_kvs > MAX_KVPAIR_PROPS) {
+        AGM_LOGE("Num CKVs %d more than expected: %d",dest->ckv.num_kvs, MAX_KVPAIR_PROPS);
+        ret = -EINVAL;
+        goto free_metadata;
+    }
     dest->ckv.kv =  calloc(dest->ckv.num_kvs, sizeof(struct agm_key_value));
     if (!dest->ckv.kv) {
         AGM_LOGE("Memory allocation failed to copy CKV\n");
@@ -346,6 +351,12 @@
         goto free_metadata;
     }
     dest->sg_props.num_values = NUM_PROPS(metadata);
+    if (dest->sg_props.num_values > MAX_KVPAIR_PROPS) {
+        AGM_LOGE("Num Props %d more than expected: %d",dest->sg_props.num_values, MAX_KVPAIR_PROPS);
+        ret = -EINVAL;
+        goto free_metadata;
+    }
+
     dest->sg_props.values =  calloc(dest->sg_props.num_values, sizeof(uint32_t));
     if (!dest->sg_props.values) {
         AGM_LOGE("Memory allocation failed to copy properties\n");