diff options
| author |  Antoine Reversat | 2017-01-10 09:55:15 -0800 |
|---|---|---|
| committer | Antoine Reversat | 2017-01-18 11:45:10 -0800 |
| commit | 45fda819e1aae3cacf25a04b9fe22cd6ddc61f5a (patch) | |
| tree | e335d272cd44b04b0a2c94cb8607b874aeed4fca | |
| parent | b78a42e0531d219e27f5c57350886bc7c14d4684 (diff) | |
| download | libimobiledevice-45fda819e1aae3cacf25a04b9fe22cd6ddc61f5a.tar.gz libimobiledevice-45fda819e1aae3cacf25a04b9fe22cd6ddc61f5a.tar.bz2 | |
property_list_service: Remove packet length check when receiving plist data
There are services that would send really large plist data, e.g. when listing
provisioning profiles. Instead of forcing the data to be less than 16MB we
try to allocate a buffer as large as requested. If the allocation fails the
function returns with an error.
| -rw-r--r-- | src/property_list_service.c | 89 |
1 files changed, 43 insertions, 46 deletions
diff --git a/src/property_list_service.c b/src/property_list_service.c index 141fab7..a5bdf9b 100644 --- a/src/property_list_service.c +++ b/src/property_list_service.c | |||
| @@ -193,59 +193,56 @@ static property_list_service_error_t internal_plist_receive_timeout(property_lis | |||
| 193 | debug_info("initial read failed!"); | 193 | debug_info("initial read failed!"); |
| 194 | return PROPERTY_LIST_SERVICE_E_MUX_ERROR; | 194 | return PROPERTY_LIST_SERVICE_E_MUX_ERROR; |
| 195 | } else { | 195 | } else { |
| 196 | uint32_t curlen = 0; | ||
| 197 | char *content = NULL; | ||
| 198 | |||
| 196 | pktlen = be32toh(pktlen); | 199 | pktlen = be32toh(pktlen); |
| 197 | if (pktlen < (1 << 24)) { /* prevent huge buffers */ | 200 | debug_info("%d bytes following", pktlen); |
| 198 | uint32_t curlen = 0; | 201 | content = (char*)malloc(pktlen); |
| 199 | char *content = NULL; | 202 | if (!content) { |
| 200 | debug_info("%d bytes following", pktlen); | 203 | debug_info("out of memory when allocating %d bytes", pktlen); |
| 201 | content = (char*)malloc(pktlen); | 204 | return PROPERTY_LIST_SERVICE_E_UNKNOWN_ERROR; |
| 202 | if (!content) { | 205 | } |
| 203 | debug_info("out of memory when allocating %d bytes", pktlen); | ||
| 204 | return PROPERTY_LIST_SERVICE_E_UNKNOWN_ERROR; | ||
| 205 | } | ||
| 206 | 206 | ||
| 207 | while (curlen < pktlen) { | 207 | while (curlen < pktlen) { |
| 208 | service_receive(client->parent, content+curlen, pktlen-curlen, &bytes); | 208 | service_receive(client->parent, content+curlen, pktlen-curlen, &bytes); |
| 209 | if (bytes <= 0) { | 209 | if (bytes <= 0) { |
| 210 | res = PROPERTY_LIST_SERVICE_E_MUX_ERROR; | 210 | res = PROPERTY_LIST_SERVICE_E_MUX_ERROR; |
| 211 | break; | 211 | break; |
| 212 | } | ||
| 213 | debug_info("received %d bytes", bytes); | ||
| 214 | curlen += bytes; | ||
| 215 | } | ||
| 216 | if (curlen < pktlen) { | ||
| 217 | debug_info("received incomplete packet (%d of %d bytes)", curlen, pktlen); | ||
| 218 | if (curlen > 0) { | ||
| 219 | debug_info("incomplete packet following:"); | ||
| 220 | debug_buffer(content, curlen); | ||
| 221 | } | ||
| 222 | free(content); | ||
| 223 | return res; | ||
| 224 | } | 212 | } |
| 225 | if ((pktlen > 8) && !memcmp(content, "bplist00", 8)) { | 213 | debug_info("received %d bytes", bytes); |
| 226 | plist_from_bin(content, pktlen, plist); | 214 | curlen += bytes; |
| 227 | } else if ((pktlen > 5) && !memcmp(content, "<?xml", 5)) { | 215 | } |
| 228 | /* iOS 4.3+ hack: plist data might contain invalid characters, thus we convert those to spaces */ | 216 | if (curlen < pktlen) { |
| 229 | for (bytes = 0; bytes < pktlen-1; bytes++) { | 217 | debug_info("received incomplete packet (%d of %d bytes)", curlen, pktlen); |
| 230 | if ((content[bytes] >= 0) && (content[bytes] < 0x20) && (content[bytes] != 0x09) && (content[bytes] != 0x0a) && (content[bytes] != 0x0d)) | 218 | if (curlen > 0) { |
| 231 | content[bytes] = 0x20; | 219 | debug_info("incomplete packet following:"); |
| 232 | } | 220 | debug_buffer(content, curlen); |
| 233 | plist_from_xml(content, pktlen, plist); | ||
| 234 | } else { | ||
| 235 | debug_info("WARNING: received unexpected non-plist content"); | ||
| 236 | debug_buffer(content, pktlen); | ||
| 237 | } | ||
| 238 | if (*plist) { | ||
| 239 | debug_plist(*plist); | ||
| 240 | res = PROPERTY_LIST_SERVICE_E_SUCCESS; | ||
| 241 | } else { | ||
| 242 | res = PROPERTY_LIST_SERVICE_E_PLIST_ERROR; | ||
| 243 | } | 221 | } |
| 244 | free(content); | 222 | free(content); |
| 245 | content = NULL; | 223 | return res; |
| 224 | } | ||
| 225 | if ((pktlen > 8) && !memcmp(content, "bplist00", 8)) { | ||
| 226 | plist_from_bin(content, pktlen, plist); | ||
| 227 | } else if ((pktlen > 5) && !memcmp(content, "<?xml", 5)) { | ||
| 228 | /* iOS 4.3+ hack: plist data might contain invalid characters, thus we convert those to spaces */ | ||
| 229 | for (bytes = 0; bytes < pktlen-1; bytes++) { | ||
| 230 | if ((content[bytes] >= 0) && (content[bytes] < 0x20) && (content[bytes] != 0x09) && (content[bytes] != 0x0a) && (content[bytes] != 0x0d)) | ||
| 231 | content[bytes] = 0x20; | ||
| 232 | } | ||
| 233 | plist_from_xml(content, pktlen, plist); | ||
| 234 | } else { | ||
| 235 | debug_info("WARNING: received unexpected non-plist content"); | ||
| 236 | debug_buffer(content, pktlen); | ||
| 237 | } | ||
| 238 | if (*plist) { | ||
| 239 | debug_plist(*plist); | ||
| 240 | res = PROPERTY_LIST_SERVICE_E_SUCCESS; | ||
| 246 | } else { | 241 | } else { |
| 247 | res = PROPERTY_LIST_SERVICE_E_UNKNOWN_ERROR; | 242 | res = PROPERTY_LIST_SERVICE_E_PLIST_ERROR; |
| 248 | } | 243 | } |
| 244 | free(content); | ||
| 245 | content = NULL; | ||
| 249 | } | 246 | } |
| 250 | return res; | 247 | return res; |
| 251 | } | 248 | } |