From e3a372e1ea50ae1ca6df143ac7f7f41d68601b2a Mon Sep 17 00:00:00 2001
From: Ian Gulliver <flamingcow@gmail.com>
Date: Fri, 26 Feb 2016 14:09:37 -0800
Subject: [PATCH] Hex parsing hardening.

---
 adsbus/airspy_adsb.c | 14 +++++++++++---
 adsbus/airspy_adsb.h |  2 +-
 adsbus/beast.h       |  2 +-
 adsbus/hex.c         | 29 +++++++++++++++++++++++------
 adsbus/hex.h         |  5 +++--
 adsbus/json.c        |  8 ++++++--
 adsbus/json.h        |  2 +-
 adsbus/list.h        |  2 +-
 adsbus/proto.h       |  2 +-
 adsbus/raw.c         |  8 ++++++--
 adsbus/raw.h         |  2 +-
 11 files changed, 55 insertions(+), 21 deletions(-)

diff --git a/adsbus/airspy_adsb.c b/adsbus/airspy_adsb.c
index 03c2952..2121bfb 100644
--- a/adsbus/airspy_adsb.c
+++ b/adsbus/airspy_adsb.c
@@ -53,7 +53,11 @@ static bool airspy_adsb_parse_common(const struct airspy_adsb_common_overlay *ov
 	if (!mlat_mhz) {
 		return false;
 	}
-	packet->mlat_timestamp = packet_mlat_timestamp_scale_in(hex_to_int(overlay->mlat_timestamp, sizeof(overlay->mlat_timestamp) / 2), UINT32_MAX, mlat_mhz, &state->mlat_state);
+	int64_t mlat_timestamp_in = hex_to_int(overlay->mlat_timestamp, sizeof(overlay->mlat_timestamp) / 2);
+	if (mlat_timestamp_in < 0) {
+		return false;
+	}
+	packet->mlat_timestamp = packet_mlat_timestamp_scale_in((uint64_t) mlat_timestamp_in, UINT32_MAX, mlat_mhz, &state->mlat_state);
 	packet->rssi = packet_rssi_scale_in((uint32_t) hex_to_int(overlay->rssi, sizeof(overlay->rssi) / 2), UINT16_MAX);
 	return true;
 }
@@ -71,7 +75,9 @@ static bool airspy_adsb_parse_mode_s_short(struct buf *buf, struct packet *packe
 		return false;
 	}
 	packet->type = PACKET_TYPE_MODE_S_SHORT;
-	hex_to_bin(packet->payload, short_overlay->payload, sizeof(short_overlay->payload) / 2);
+	if (!hex_to_bin(packet->payload, short_overlay->payload, sizeof(short_overlay->payload) / 2)) {
+		return false;
+	}
 	buf_consume(buf, sizeof(*short_overlay));
 	return true;
 }
@@ -89,7 +95,9 @@ static bool airspy_adsb_parse_mode_s_long(struct buf *buf, struct packet *packet
 		return false;
 	}
 	packet->type = PACKET_TYPE_MODE_S_LONG;
-	hex_to_bin(packet->payload, long_overlay->payload, sizeof(long_overlay->payload) / 2);
+	if (!hex_to_bin(packet->payload, long_overlay->payload, sizeof(long_overlay->payload) / 2)) {
+		return false;
+	}
 	buf_consume(buf, sizeof(*long_overlay));
 	return true;
 }
diff --git a/adsbus/airspy_adsb.h b/adsbus/airspy_adsb.h
index bbd9b8b..2fe2e86 100644
--- a/adsbus/airspy_adsb.h
+++ b/adsbus/airspy_adsb.h
@@ -6,5 +6,5 @@ struct buf;
 struct packet;
 
 void airspy_adsb_init(void);
-bool airspy_adsb_parse(struct buf *, struct packet *, void *);
+bool __attribute__ ((warn_unused_result)) airspy_adsb_parse(struct buf *, struct packet *, void *);
 void airspy_adsb_serialize(struct packet *, struct buf *);
diff --git a/adsbus/beast.h b/adsbus/beast.h
index 86ac9cc..e3e727a 100644
--- a/adsbus/beast.h
+++ b/adsbus/beast.h
@@ -6,5 +6,5 @@ struct buf;
 struct packet;
 
 void beast_init(void);
-bool beast_parse(struct buf *, struct packet *, void *);
+bool __attribute__ ((warn_unused_result)) beast_parse(struct buf *, struct packet *, void *);
 void beast_serialize(struct packet *, struct buf *);
diff --git a/adsbus/hex.c b/adsbus/hex.c
index ea0122e..a278bdd 100644
--- a/adsbus/hex.c
+++ b/adsbus/hex.c
@@ -4,11 +4,16 @@
 
 #include "hex.h"
 
-static uint8_t hex_table[256] = {0};
+static uint8_t hex_table[256];
 static uint8_t hex_upper_table[16] = { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'A', 'B', 'C', 'D', 'E', 'F', };
 static uint8_t hex_lower_table[16] = { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f', };
 
+#define HEX_INVALID 0xff
+
 void hex_init() {
+	for (size_t i = 0; i < sizeof(hex_table) / sizeof(*hex_table); i++) {
+		hex_table[i] = HEX_INVALID;
+	}
 	for (uint8_t i = '0'; i <= '9'; i++) {
 		hex_table[i] = i - '0';
 	}
@@ -20,21 +25,33 @@ void hex_init() {
 	}
 }
 
-void hex_to_bin(uint8_t *out, const uint8_t *in, size_t bytes) {
+bool hex_to_bin(uint8_t *out, const uint8_t *in, size_t bytes) {
 	for (size_t i = 0, j = 0; i < bytes; i++, j += 2) {
-		out[i] = (uint8_t) (hex_table[in[j]] << 4) | hex_table[in[j + 1]];
+		uint8_t val1 = hex_table[in[j]], val2 = hex_table[in[j + 1]];
+		if (val1 == HEX_INVALID || val2 == HEX_INVALID) {
+			return false;
+		}
+		out[i] = (uint8_t) (val1 << 4) | val2;
 	}
+	return true;
 }
 
-uint64_t hex_to_int(const uint8_t *in, size_t bytes) {
+int64_t hex_to_int(const uint8_t *in, size_t bytes) {
 	const uint8_t *in2 = (const uint8_t *) in;
 	uint64_t ret = 0;
 	bytes *= 2;
 	for (size_t i = 0; i < bytes; i++) {
 		ret <<= 4;
-		ret |= hex_table[in2[i]];
+		uint8_t val = hex_table[in2[i]];
+		if (val == 0xff) {
+			return -1;
+		}
+		ret |= val;
 	}
-	return ret;
+	if (ret > INT64_MAX) {
+		return -1;
+	}
+	return (int64_t) ret;
 }
 
 static void hex_from_bin(uint8_t *out, const uint8_t *in, size_t bytes, uint8_t table[]) {
diff --git a/adsbus/hex.h b/adsbus/hex.h
index 80f47bd..5d9eee0 100644
--- a/adsbus/hex.h
+++ b/adsbus/hex.h
@@ -1,11 +1,12 @@
 #pragma once
 
 #include <stdint.h>
+#include <stdbool.h>
 #include <stddef.h>
 
 void hex_init(void);
-void hex_to_bin(uint8_t *, const uint8_t *, size_t);
-uint64_t hex_to_int(const uint8_t *, size_t);
+bool __attribute__ ((warn_unused_result)) hex_to_bin(uint8_t *, const uint8_t *, size_t);
+int64_t __attribute__ ((warn_unused_result)) hex_to_int(const uint8_t *, size_t);
 void hex_from_bin_upper(uint8_t *, const uint8_t *, size_t);
 void hex_from_bin_lower(uint8_t *, const uint8_t *, size_t);
 void hex_from_int_upper(uint8_t *, uint64_t, size_t);
diff --git a/adsbus/json.c b/adsbus/json.c
index 87b758a..d739cd2 100644
--- a/adsbus/json.c
+++ b/adsbus/json.c
@@ -157,7 +157,9 @@ static bool json_parse_mode_s_short(json_t *in, struct packet *packet, struct js
 		return false;
 	}
 
-	hex_to_bin(packet->payload, (const uint8_t *) json_string_value(payload), 7);
+	if (!hex_to_bin(packet->payload, (const uint8_t *) json_string_value(payload), 7)) {
+		return false;
+	}
 	packet->type = PACKET_TYPE_MODE_S_SHORT;
 	return true;
 }
@@ -172,7 +174,9 @@ static bool json_parse_mode_s_long(json_t *in, struct packet *packet, struct jso
 		return false;
 	}
 
-	hex_to_bin(packet->payload, (const uint8_t *) json_string_value(payload), 14);
+	if (!hex_to_bin(packet->payload, (const uint8_t *) json_string_value(payload), 14)) {
+		return false;
+	}
 	packet->type = PACKET_TYPE_MODE_S_LONG;
 	return true;
 }
diff --git a/adsbus/json.h b/adsbus/json.h
index bd979bc..c5f2911 100644
--- a/adsbus/json.h
+++ b/adsbus/json.h
@@ -7,7 +7,7 @@ struct packet;
 
 void json_init(void);
 void json_cleanup(void);
-bool json_parse(struct buf *, struct packet *, void *);
+bool __attribute__ ((warn_unused_result)) json_parse(struct buf *, struct packet *, void *);
 void json_serialize(struct packet *, struct buf *);
 
 int json_buf_append_callback(const char *, size_t, void *);
diff --git a/adsbus/list.h b/adsbus/list.h
index 68417f9..fb9af51 100644
--- a/adsbus/list.h
+++ b/adsbus/list.h
@@ -34,6 +34,6 @@ struct list_head {
 				pos = n, n = list_entry(n->member.next, typeof(*n), member))
 
 void list_head_init(struct list_head *);
-bool list_is_empty(const struct list_head *);
+bool __attribute__ ((warn_unused_result)) list_is_empty(const struct list_head *);
 void list_add(struct list_head *, struct list_head *);
 void list_del(struct list_head *);
diff --git a/adsbus/proto.h b/adsbus/proto.h
index ca7b55d..21c377a 100644
--- a/adsbus/proto.h
+++ b/adsbus/proto.h
@@ -6,5 +6,5 @@ struct buf;
 struct packet;
 
 void proto_cleanup(void);
-bool proto_parse(struct buf *, struct packet *, void *);
+bool __attribute__ ((warn_unused_result)) proto_parse(struct buf *, struct packet *, void *);
 void proto_serialize(struct packet *, struct buf *);
diff --git a/adsbus/raw.c b/adsbus/raw.c
index c11fdee..de697b2 100644
--- a/adsbus/raw.c
+++ b/adsbus/raw.c
@@ -34,8 +34,10 @@ static bool raw_parse_mode_s_short(struct buf *buf, struct packet *packet) {
 			 (overlay->cr_lf != '\r' || overlay->lf != '\n'))) {
 		return false;
 	}
+	if (!hex_to_bin(packet->payload, overlay->payload, sizeof(overlay->payload) / 2)) {
+		return false;
+	}
 	packet->type = PACKET_TYPE_MODE_S_SHORT;
-	hex_to_bin(packet->payload, overlay->payload, sizeof(overlay->payload) / 2);
 	buf_consume(buf, overlay->cr_lf == '\r' ? sizeof(*overlay) : sizeof(*overlay) - 1);
 	return true;
 }
@@ -49,8 +51,10 @@ static bool raw_parse_mode_s_long(struct buf *buf, struct packet *packet) {
 			 (overlay->cr_lf != '\r' || overlay->lf != '\n'))) {
 		return false;
 	}
+	if (!hex_to_bin(packet->payload, overlay->payload, sizeof(overlay->payload) / 2)) {
+		return false;
+	}
 	packet->type = PACKET_TYPE_MODE_S_LONG;
-	hex_to_bin(packet->payload, overlay->payload, sizeof(overlay->payload) / 2);
 	buf_consume(buf, overlay->cr_lf == '\r' ? sizeof(*overlay) : sizeof(*overlay) - 1);
 	return true;
 }
diff --git a/adsbus/raw.h b/adsbus/raw.h
index 1c79a51..7c9bb5e 100644
--- a/adsbus/raw.h
+++ b/adsbus/raw.h
@@ -6,5 +6,5 @@ struct buf;
 struct packet;
 
 void raw_init(void);
-bool raw_parse(struct buf *, struct packet *, void *);
+bool __attribute__ ((warn_unused_result)) raw_parse(struct buf *, struct packet *, void *);
 void raw_serialize(struct packet *, struct buf *);