From 104c4d956a91c52d83e76f6f857a60f0bc0f0b4c Mon Sep 17 00:00:00 2001 From: Jef Driesen Date: Tue, 18 Jan 2011 19:33:21 +0100 Subject: [PATCH] Validate the ringbuffer pointers before using them. --- src/cressi_edy.c | 13 +++++++++++++ src/zeagle_n2ition3.c | 13 +++++++++++++ 2 files changed, 26 insertions(+) diff --git a/src/cressi_edy.c b/src/cressi_edy.c index fdefd23..96155ef 100644 --- a/src/cressi_edy.c +++ b/src/cressi_edy.c @@ -372,12 +372,21 @@ cressi_edy_device_foreach (device_t *abstract, dive_callback_t callback, void *u // Get the logbook pointers. unsigned int last = config[0x7C]; unsigned int first = config[0x7D]; + if (first < RB_LOGBOOK_BEGIN || first >= RB_LOGBOOK_END || + last < RB_LOGBOOK_BEGIN || last >= RB_LOGBOOK_END) { + WARNING ("Invalid ringbuffer pointer detected."); + return DEVICE_STATUS_ERROR; + } // Get the number of logbook items. unsigned int count = ringbuffer_distance (first, last, 0, RB_LOGBOOK_BEGIN, RB_LOGBOOK_END) + 1; // Get the profile pointer. unsigned int eop = array_uint16_le (config + 0x7E) * PAGESIZE + BASE; + if (eop < RB_PROFILE_BEGIN || eop >= RB_PROFILE_END) { + WARNING ("Invalid ringbuffer pointer detected."); + return DEVICE_STATUS_ERROR; + } // Memory buffer for the profile data. unsigned char buffer[RB_PROFILE_END - RB_PROFILE_BEGIN] = {0}; @@ -392,6 +401,10 @@ cressi_edy_device_foreach (device_t *abstract, dive_callback_t callback, void *u for (unsigned int i = 0; i < count; ++i) { // Get the pointer to the profile data. unsigned int current = array_uint16_le (config + 2 * idx) * PAGESIZE + BASE; + if (current < RB_PROFILE_BEGIN || current >= RB_PROFILE_END) { + WARNING ("Invalid ringbuffer pointer detected."); + return DEVICE_STATUS_ERROR; + } // Position the pointer at the start of the header. if (current == RB_PROFILE_BEGIN) diff --git a/src/zeagle_n2ition3.c b/src/zeagle_n2ition3.c index a3208a6..0aaf71d 100644 --- a/src/zeagle_n2ition3.c +++ b/src/zeagle_n2ition3.c @@ -308,12 +308,21 @@ zeagle_n2ition3_device_foreach (device_t *abstract, dive_callback_t callback, vo // Get the logbook pointers. unsigned int last = config[0x7C]; unsigned int first = config[0x7D]; + if (first < RB_LOGBOOK_BEGIN || first >= RB_LOGBOOK_END || + last < RB_LOGBOOK_BEGIN || last >= RB_LOGBOOK_END) { + WARNING ("Invalid ringbuffer pointer detected."); + return DEVICE_STATUS_ERROR; + } // Get the number of logbook items. unsigned int count = ringbuffer_distance (first, last, 0, RB_LOGBOOK_BEGIN, RB_LOGBOOK_END) + 1; // Get the profile pointer. unsigned int eop = array_uint16_le (config + 0x7E); + if (eop < RB_PROFILE_BEGIN || eop >= RB_PROFILE_END) { + WARNING ("Invalid ringbuffer pointer detected."); + return DEVICE_STATUS_ERROR; + } // The logbook ringbuffer can store at most 60 dives, even if the profile // data could store more (e.g. many small dives). But it's also possible @@ -325,6 +334,10 @@ zeagle_n2ition3_device_foreach (device_t *abstract, dive_callback_t callback, vo for (unsigned int i = 0; i < count; ++i) { // Get the pointer to the profile data. unsigned int current = array_uint16_le (config + 2 * idx); + if (current < RB_PROFILE_BEGIN || current >= RB_PROFILE_END) { + WARNING ("Invalid ringbuffer pointer detected."); + return DEVICE_STATUS_ERROR; + } // Get the profile length. unsigned int length = ringbuffer_distance (current, previous, 1, RB_PROFILE_BEGIN, RB_PROFILE_END);