From dc67b7b640e0ff4dc466e71f7852092f52b970b6 Mon Sep 17 00:00:00 2001
From: Marek Puzyniak <marek.puzyniak@iopsys.eu>
Date: Mon, 14 Aug 2023 13:24:55 +0200
Subject: [PATCH] Prevent tlv index exceeding

Use TLV_MAXNUM.

Signed-off-by: Marek Puzyniak <marek.puzyniak@iopsys.eu>
---
 src/ieee1905/cmdu_validate.c | 24 ++++++++++++------------
 src/ieee1905/cmdu_validate.h | 10 +++++-----
 src/ieee1905/ieee1905_deps.c |  4 ++--
 src/ieee1905/ieee1905_deps.h |  2 +-
 src/ieee1905/topologyd.c     | 26 +++++++++++++-------------
 5 files changed, 33 insertions(+), 33 deletions(-)

diff --git a/src/ieee1905/cmdu_validate.c b/src/ieee1905/cmdu_validate.c
index 47d79eb..4bdb092 100644
--- a/src/ieee1905/cmdu_validate.c
+++ b/src/ieee1905/cmdu_validate.c
@@ -88,7 +88,7 @@ static int check_device_id_tlv(struct tlv *t)
 			sizeof(struct tlv_device_identification));
 }
 
-bool validate_topology_discovery(struct cmdu_buff *cmdu, struct tlv *tv[][16])
+bool validate_topology_discovery(struct cmdu_buff *cmdu, struct tlv *tv[][TLV_MAXNUM])
 {
 	int ret;
 	struct tlv_policy d_policy[] = {
@@ -126,7 +126,7 @@ bool validate_topology_discovery(struct cmdu_buff *cmdu, struct tlv *tv[][16])
 }
 
 
-bool validate_topology_response(struct cmdu_buff *cmdu, struct tlv *tv[][16])
+bool validate_topology_response(struct cmdu_buff *cmdu, struct tlv *tv[][TLV_MAXNUM])
 {
 	dbg("%s: --->\n", __func__);
 
@@ -225,7 +225,7 @@ bool validate_topology_response(struct cmdu_buff *cmdu, struct tlv *tv[][16])
 	}
 
 	/* TLV_TYPE_DEVICE_BRIDGING_CAPABILITIES */
-	while (tv[1][num]) {
+	while (num < TLV_MAXNUM && tv[1][num]) {
 		uint8_t *tv_data;
 		struct tlv_device_bridge_caps *tlv;
 		uint16_t tlv_len = 0;
@@ -268,7 +268,7 @@ bool validate_topology_response(struct cmdu_buff *cmdu, struct tlv *tv[][16])
 	num = 0;
 
 	/* TLV_TYPE_NON_1905_NEIGHBOR_DEVICE_LIST */
-	while (tv[2][num]) {
+	while (num < TLV_MAXNUM && tv[2][num]) {
 		struct tlv_non1905_neighbor *tlv;
 		uint16_t tlv_len = 0;
 		int size = 0;
@@ -295,7 +295,7 @@ bool validate_topology_response(struct cmdu_buff *cmdu, struct tlv *tv[][16])
 
 	num = 0;
 	/* TLV_TYPE_NEIGHBOR_DEVICE_LIST */
-	while (tv[3][num]) {
+	while (num < TLV_MAXNUM && tv[3][num]) {
 		struct tlv_1905neighbor *tlv;
 		uint16_t tlv_len = 0;
 		int size = 0;
@@ -484,7 +484,7 @@ bool validate_topology_response(struct cmdu_buff *cmdu, struct tlv *tv[][16])
 	return true;
 }
 
-bool validate_ap_autoconfig_response(struct cmdu_buff *cmdu, struct tlv *tv[][16])
+bool validate_ap_autoconfig_response(struct cmdu_buff *cmdu, struct tlv *tv[][TLV_MAXNUM])
 {
 	struct tlv_policy a_policy[] = {
 		[0] = { .type = TLV_TYPE_SUPPORTED_ROLE,
@@ -535,7 +535,7 @@ bool validate_ap_autoconfig_response(struct cmdu_buff *cmdu, struct tlv *tv[][16
 }
 
 
-bool validate_higher_layer_response(struct cmdu_buff *cmdu, struct tlv *tv[][16])
+bool validate_higher_layer_response(struct cmdu_buff *cmdu, struct tlv *tv[][TLV_MAXNUM])
 {
 
 	dbg("%s: --->\n", __func__);
@@ -605,7 +605,7 @@ bool validate_higher_layer_response(struct cmdu_buff *cmdu, struct tlv *tv[][16]
 	num = 0;
 
 	/* TLV_TYPE_IPV4 */
-	while (tv[4][num]) {
+	while (num < TLV_MAXNUM && tv[4][num]) {
 		uint8_t *tv_data;
 		struct tlv_ipv4 *tlv;
 		uint16_t tlv_len = 0;
@@ -660,7 +660,7 @@ bool validate_higher_layer_response(struct cmdu_buff *cmdu, struct tlv *tv[][16]
 
 	num = 0;
 	/* TLV_TYPE_IPV6 */
-	while (tv[5][num]) {
+	while (num < TLV_MAXNUM && tv[5][num]) {
 		uint8_t *tv_data;
 		struct tlv_ipv6 *tlv;
 		uint16_t tlv_len = 0;
@@ -722,7 +722,7 @@ bool validate_higher_layer_response(struct cmdu_buff *cmdu, struct tlv *tv[][16]
 	return true;
 }
 
-bool validate_link_metric_response(struct cmdu_buff *cmdu, struct tlv *tv[][16])
+bool validate_link_metric_response(struct cmdu_buff *cmdu, struct tlv *tv[][TLV_MAXNUM])
 {
 	 struct tlv_policy a_policy[] = {
 		[0] = { .type = TLV_TYPE_TRANSMITTER_LINK_METRIC,
@@ -745,7 +745,7 @@ bool validate_link_metric_response(struct cmdu_buff *cmdu, struct tlv *tv[][16])
 	}
 
 	/* TLV_TYPE_TRANSMITTER_LINK_METRIC */
-	while (tv[0][num]) {
+	while (num < TLV_MAXNUM && tv[0][num]) {
 		struct tlv_tx_linkmetric *tlv;
 		uint16_t tlv_len = 0;
 		int offset = 0;
@@ -780,7 +780,7 @@ bool validate_link_metric_response(struct cmdu_buff *cmdu, struct tlv *tv[][16])
 
 	num = 0;
 	/* TLV_TYPE_RECEIVER_LINK_METRIC */
-	while (tv[1][num]) {
+	while (num < TLV_MAXNUM && tv[1][num]) {
 		struct tlv_rx_linkmetric *tlv;
 		uint16_t tlv_len = 0;
 		int offset = 0;
diff --git a/src/ieee1905/cmdu_validate.h b/src/ieee1905/cmdu_validate.h
index 3180e5e..1b8b9c6 100644
--- a/src/ieee1905/cmdu_validate.h
+++ b/src/ieee1905/cmdu_validate.h
@@ -3,10 +3,10 @@
 #ifndef CMDU_VALIDATE
 #define CMDU_VALIDATE
 
-bool validate_topology_discovery(struct cmdu_buff *cmdu, struct tlv *tv[][16]);
-bool validate_topology_response(struct cmdu_buff *cmdu, struct tlv *tv_tsp[][16]);
-bool validate_ap_autoconfig_response(struct cmdu_buff *cmdu, struct tlv *tv[][16]);
-bool validate_higher_layer_response(struct cmdu_buff *cmdu, struct tlv *tv[][16]);
-bool validate_link_metric_response(struct cmdu_buff *cmdu, struct tlv *tv[][16]);
+bool validate_topology_discovery(struct cmdu_buff *cmdu, struct tlv *tv[][TLV_MAXNUM]);
+bool validate_topology_response(struct cmdu_buff *cmdu, struct tlv *tv_tsp[][TLV_MAXNUM]);
+bool validate_ap_autoconfig_response(struct cmdu_buff *cmdu, struct tlv *tv[][TLV_MAXNUM]);
+bool validate_higher_layer_response(struct cmdu_buff *cmdu, struct tlv *tv[][TLV_MAXNUM]);
+bool validate_link_metric_response(struct cmdu_buff *cmdu, struct tlv *tv[][TLV_MAXNUM]);
 
 #endif	// CMDU_VALIDATE
diff --git a/src/ieee1905/ieee1905_deps.c b/src/ieee1905/ieee1905_deps.c
index de4bfda..80df38b 100644
--- a/src/ieee1905/ieee1905_deps.c
+++ b/src/ieee1905/ieee1905_deps.c
@@ -45,7 +45,7 @@ uint8_t (*t_cmdu_get_fid)(struct cmdu_buff *c);
 uint16_t (*t_cmdu_get_type)(struct cmdu_buff *c);
 
 
-int (*t_cmdu_parse_tlvs)(struct cmdu_buff *c, struct tlv *tv[][16],
+int (*t_cmdu_parse_tlvs)(struct cmdu_buff *c, struct tlv *tv[][TLV_MAXNUM],
 		    struct tlv_policy *policy, int policy_len);
 
 
@@ -121,7 +121,7 @@ uint16_t u_cmdu_get_type(struct cmdu_buff *c)
 	return 0xffff;
 }
 
-int u_cmdu_parse_tlvs(struct cmdu_buff *c, struct tlv *tv[][16],
+int u_cmdu_parse_tlvs(struct cmdu_buff *c, struct tlv *tv[][TLV_MAXNUM],
 		      struct tlv_policy *policy, int policy_len)
 {
 	return -1;
diff --git a/src/ieee1905/ieee1905_deps.h b/src/ieee1905/ieee1905_deps.h
index 0548531..d0e6071 100644
--- a/src/ieee1905/ieee1905_deps.h
+++ b/src/ieee1905/ieee1905_deps.h
@@ -33,7 +33,7 @@ extern uint8_t (*t_cmdu_get_fid)(struct cmdu_buff *c);
 extern uint16_t (*t_cmdu_get_type)(struct cmdu_buff *c);
 
 
-extern int (*t_cmdu_parse_tlvs)(struct cmdu_buff *c, struct tlv *tv[][16],
+extern int (*t_cmdu_parse_tlvs)(struct cmdu_buff *c, struct tlv *tv[][TLV_MAXNUM],
 		    struct tlv_policy *policy, int policy_len);
 
 
diff --git a/src/ieee1905/topologyd.c b/src/ieee1905/topologyd.c
index 180edff..22da516 100644
--- a/src/ieee1905/topologyd.c
+++ b/src/ieee1905/topologyd.c
@@ -496,7 +496,7 @@ void topologyd_process_topology_response(struct cmdu_buff *cstruct, struct topol
 
 	struct node n = { 0 };
 	int ret;
-	struct tlv *tv[11][16] = {0};
+	struct tlv *tv[11][TLV_MAXNUM] = {0};
 
 	if (cstruct == NULL || priv == NULL)
 		return;
@@ -532,7 +532,7 @@ void topologyd_process_topology_response(struct cmdu_buff *cstruct, struct topol
 	if (tv[1][0]) {
 		int num = 0;
 
-		while (tv[1][num]) {
+		while (num < TLV_MAXNUM && tv[1][num]) {
 			ret = topology_update_bridging_info(&n,
 					(struct tlv_device_bridge_caps *)tv[1][num]->data);
 			if (ret)
@@ -546,7 +546,7 @@ void topologyd_process_topology_response(struct cmdu_buff *cstruct, struct topol
 		int num = 0;
 		int list_num = 0;
 
-		while (tv[2][num]) {
+		while (num < TLV_MAXNUM && tv[2][num]) {
 			ret = topology_update_non_i1905nbr_list(&n,
 						(struct tlv_non1905_neighbor *)tv[2][num]->data,
 						BUF_GET_BE16(tv[2][num]->len),
@@ -560,7 +560,7 @@ void topologyd_process_topology_response(struct cmdu_buff *cstruct, struct topol
 	if (tv[3][0]) {
 		int num = 0;
 		int list_num = 0;
-		while (tv[3][num]) {
+		while (num < TLV_MAXNUM && tv[3][num]) {
 			ret = topology_update_neigh_list(priv, &n,
 						(struct tlv_1905neighbor *)tv[3][num]->data,
 						BUF_GET_BE16(tv[3][num]->len),
@@ -572,7 +572,7 @@ void topologyd_process_topology_response(struct cmdu_buff *cstruct, struct topol
 	}
 	if (tv[4][0]) {
 		int num = 0;
-		while (tv[4][num]) {
+		while (num < TLV_MAXNUM && tv[4][num]) {
 			ret = topology_update_poweroff_list(&n);
 			if (ret)
 				break;
@@ -582,7 +582,7 @@ void topologyd_process_topology_response(struct cmdu_buff *cstruct, struct topol
 
 	if (tv[5][0]) {
 		int num = 0;
-		while (tv[5][num]) {
+		while (num < TLV_MAXNUM && tv[5][num]) {
 			ret = topology_update_l2_neigh(&n);
 			if (ret)
 				break;
@@ -756,7 +756,7 @@ void topologyd_process_higherlayer_response(struct cmdu_buff *cstruct, struct to
 {
 	struct node *n = NULL;
 	int ret;
-	struct tlv *tv[6][16] = {0};
+	struct tlv *tv[6][TLV_MAXNUM] = {0};
 	uint8_t aladdr_origin[6] = {0};
 	struct tlv_1905_profile *profile;
 
@@ -830,7 +830,7 @@ void topologyd_process_autoconfiguration_response(struct cmdu_buff *cstruct, str
 {
 
 	struct tlv_supported_band *freq;
-	struct tlv *tv[4][16];
+	struct tlv *tv[4][TLV_MAXNUM] = {0};
 
 	dbg("%s -------------->\n", __func__);
 
@@ -950,7 +950,7 @@ int topology_update_rx_link_metric(struct node *n, struct tlv_rx_linkmetric *rxl
 void topologyd_process_linkmetric_response(struct cmdu_buff *cstruct, struct topologyd_private *priv)
 {
 
-	struct tlv *tv[2][16];
+	struct tlv *tv[2][TLV_MAXNUM] = {0};
 	int num = 0;
 	int ret;
 	struct node *n;
@@ -965,7 +965,7 @@ void topologyd_process_linkmetric_response(struct cmdu_buff *cstruct, struct top
 		return;
 	}
 
-	while (tv[0][num]) {
+	while (num < TLV_MAXNUM && tv[0][num]) {
 		struct tlv_tx_linkmetric *txl =
 			(struct tlv_tx_linkmetric *)tv[0][num]->data;
 
@@ -1002,7 +1002,7 @@ void topologyd_process_linkmetric_response(struct cmdu_buff *cstruct, struct top
 	}
 
 	num = 0;
-	while (tv[1][num]) {
+	while (num < TLV_MAXNUM && tv[1][num]) {
 		struct tlv_rx_linkmetric *rxl =
 			(struct tlv_rx_linkmetric *)tv[1][num]->data;
 
@@ -1045,7 +1045,7 @@ void topologyd_process_topology_discovery(struct cmdu_buff *cstruct,
 						struct topologyd_private *priv)
 {
 	struct host_node *node;
-	struct tlv *tv[2][16] = {0};
+	struct tlv *tv[2][TLV_MAXNUM] = {0};
 	struct tlv_macaddr *macaddr;
 	struct tlv_aladdr *aladdr;
 
@@ -2941,7 +2941,7 @@ int topologyd_send_ieee1905_topology_query(struct topologyd_private *p,
 void topologyd_process_topology_notification(struct cmdu_buff *cstruct,
 						struct topologyd_private *priv)
 {
-	struct tlv *tv[1][16] = {0};
+	struct tlv *tv[1][TLV_MAXNUM] = {0};
 	struct tlv_policy a_policy[] = {
 		[0] = { .type = MAP_TLV_CLIENT_ASSOCIATION_EVENT, .present = TLV_PRESENT_ONE },
 	};
-- 
GitLab