From 764384da9f8ed85abf5c22e05ab77acfad010b24 Mon Sep 17 00:00:00 2001
From: Nikias Bassen
Date: Wed, 9 Oct 2013 14:34:10 +0200
Subject: property_list_service: improve error checking on receive

---
 src/property_list_service.c | 21 +++++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/property_list_service.c b/src/property_list_service.c
index 28739c7..ea117af 100644
--- a/src/property_list_service.c
+++ b/src/property_list_service.c
@@ -223,6 +223,7 @@ static property_list_service_error_t internal_plist_receive_timeout(property_lis
 		return PROPERTY_LIST_SERVICE_E_INVALID_ARG;
 	}
 
+	*plist = NULL;
 	service_error_t serr = service_receive_with_timeout(client->parent, (char*)&pktlen, sizeof(pktlen), &bytes, timeout);
 	if ((serr == SERVICE_E_SUCCESS) && (bytes == 0)) {
 		return PROPERTY_LIST_SERVICE_E_TIMEOUT;
@@ -238,6 +239,10 @@ static property_list_service_error_t internal_plist_receive_timeout(property_lis
 			char *content = NULL;
 			debug_info("%d bytes following", pktlen);
 			content = (char*)malloc(pktlen);
+			if (!content) {
+				debug_info("out of memory when allocating %d bytes\n", pktlen);
+				return PROPERTY_LIST_SERVICE_E_UNKNOWN_ERROR;
+			}
 
 			while (curlen < pktlen) {
 				service_receive(client->parent, content+curlen, pktlen-curlen, &bytes);
@@ -248,15 +253,27 @@ static property_list_service_error_t internal_plist_receive_timeout(property_lis
 				debug_info("received %d bytes", bytes);
 				curlen += bytes;
 			}
-			if (!memcmp(content, "bplist00", 8)) {
+			if (curlen < pktlen) {
+				debug_info("received incomplete packet (%d of %d bytes)\n", curlen, pktlen);
+				if (curlen > 0) {
+					debug_info("incomplete packet following:");
+					debug_buffer(content, curlen);
+				}
+				free(content);
+				return res;
+			}
+			if ((pktlen > 8) && !memcmp(content, "bplist00", 8)) {
 				plist_from_bin(content, pktlen, plist);
-			} else {
+			} else if ((pktlen > 5) && !memcmp(content, "<?xml", 5)) {
 				/* iOS 4.3+ hack: plist data might contain invalid characters, thus we convert those to spaces */
 				for (bytes = 0; bytes < pktlen-1; bytes++) {
 					if ((content[bytes] >= 0) && (content[bytes] < 0x20) && (content[bytes] != 0x09) && (content[bytes] != 0x0a) && (content[bytes] != 0x0d))
 						content[bytes] = 0x20;
 				}
 				plist_from_xml(content, pktlen, plist);
+			} else {
+				debug_info("WARNING: received unexpected non-plist content");
+				debug_buffer(content, pktlen);
 			}
 			if (*plist) {
 				debug_plist(*plist);
-- 
cgit v1.1-32-gdbae