summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGravatar Nikias Bassen2011-01-11 05:20:28 +0100
committerGravatar Martin Szulecki2011-04-11 19:42:20 +0200
commit8c771ad2ee401bb098f0a437a3c86b68ea0bcde3 (patch)
treec0f28937c538856c4658b3711cb7555a2dffa95d
parent39a5eceaaebee5fd84cfa817e7f70d5bf26ba02a (diff)
downloadlibimobiledevice-8c771ad2ee401bb098f0a437a3c86b68ea0bcde3.tar.gz
libimobiledevice-8c771ad2ee401bb098f0a437a3c86b68ea0bcde3.tar.bz2
idevicebackup4: add more error checking to mb2_handle_receive_files
-rw-r--r--tools/idevicebackup4.c26
1 files changed, 25 insertions, 1 deletions
diff --git a/tools/idevicebackup4.c b/tools/idevicebackup4.c
index 40f1a83..7084669 100644
--- a/tools/idevicebackup4.c
+++ b/tools/idevicebackup4.c
@@ -757,10 +757,18 @@ static int mb2_handle_receive_files(plist_t message, const char *backup_dir)
if (nlen == 0) {
// we're done here
break;
+ } else if (nlen > 4096) {
+ // too very long path
+ printf("ERROR: %s: too long device filename (%d)!\n", __func__, nlen);
+ break;
}
fname = (char*)malloc(nlen+1);
r = 0;
mobilebackup2_receive_raw(mobilebackup2, fname, nlen, &r);
+ if (r != nlen) {
+ printf("ERROR: %s: could not read device filename\n", __func__);
+ break;
+ }
fname[r] = 0;
// we don't need this name
//printf("\n%s\n", fname);
@@ -768,19 +776,35 @@ static int mb2_handle_receive_files(plist_t message, const char *backup_dir)
nlen = 0;
mobilebackup2_receive_raw(mobilebackup2, (char*)&nlen, 4, &r);
nlen = GUINT32_FROM_BE(nlen);
+ if (nlen == 0) {
+ printf("ERROR: %s: zero-length backup filename!\n", __func__);
+ break;
+ } else if (nlen > 4096) {
+ printf("ERROR: %s: too long backup filename (%d)!\n", __func__, nlen);
+ break;
+ }
fname = (char*)malloc(nlen+1);
mobilebackup2_receive_raw(mobilebackup2, fname, nlen, &r);
if (r != nlen) {
- fprintf(stderr, "hmmm.... received %d from %d\n", r, nlen);
+ printf("ERROR: %s: could not receive backup filename!\n", __func__);
+ break;
}
fname[r] = 0;
bname = g_build_path(G_DIR_SEPARATOR_S, backup_dir, fname, NULL);
free(fname);
nlen = 0;
mobilebackup2_receive_raw(mobilebackup2, (char*)&nlen, 4, &r);
+ if (r != 4) {
+ printf("ERROR: %s: could not receive code length!\n", __func__);
+ break;
+ }
nlen = GUINT32_FROM_BE(nlen);
code = 0;
mobilebackup2_receive_raw(mobilebackup2, &code, 1, &r);
+ if (r != 1) {
+ printf("ERROR: %s: could not receive code!\n", __func__);
+ break;
+ }
/* TODO remove this */
if ((code != CODE_SUCCESS) && (code != CODE_FILE_DATA) && (code != CODE_ERROR_REMOTE)) {